
Anyone with an email address can get into Facebook and WhatsApp law enforcement portals, designed for law enforcement agents to file requests for user data.
Getting into these two portals doesn’t grant people access to any user information, nor any sensitive information about the company. But the portals are not designed to filter email addresses in any way, leaving the door open to spammers to freely access the portals and send fake requests.
Last week, security researcher Jacob Riggs discovered that he could get access to the two portals with any email address. All he needed to do was enter his email address, submit it to the portals, and then click on a confirmation link he received in his inbox.
Riggs reported the issue to Facebook, thinking it was due to a design flaw that needed to be fixed. Facebook, however, told Riggs and Motherboard that this was a feature, not a bug.
Facebook prefers to let anyone submit a request and then check that it’s real and legal, rather than block them with an automated system or require agents to register.
“Dedicated teams from Facebook and WhatsApp carefully review each and every law enforcement request to ensure we only respond to valid legal processes required by applicable law. While we maintain policies to prevent spam abuse of the online request system, we have chosen to allow a wider aperture at the registration step because we conduct a manual review of every request that comes to our company,” a Facebook spokesperson said in a statement.
Google’s law enforcement portal, for comparison, only allows “verified” law enforcement agents to submit user data, according to the company’s site. In fact, Riggs could not get into the Google portal using his personal email address.
Source : vice.com