Facebook has been inadvertently collecting phone numbers belonging to people who download the site’s Android application -- even if they aren’t members of the social network, don’t ever sign into the app or don’t explicitly share their cell phone number.
The bug was reported by a security software provider Wednesday and has been confirmed by Facebook, which noted the problem will be addressed in the forthcoming version of the app. A Facebook spokesman said the company believes the technical flaw was introduced in February of this year.
Symantec, the software provider, announced in a blog post that its mobile security software, which looks for apps that could pose privacy risks, found that Facebook’s Android app had been “leaking” the phone number of Android devices on which it was installed. A Symantec spokesman told The Huffington Post that any Android smartphone running the buggy Facebook app was affected by the flaw and could have had its phone number uploaded to Facebook's servers.
“The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers,” Symantec's blog post said. “You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen.”
Facebook's spokesman told The Huffington Post that the social network did not "use or process the numbers in any way," and said they had been deleted from Facebook’s servers.
“This was a bug in the Facebook for Android app, and we thank Symantec for bringing it to our attention,” Facebook spokesman Derick Mains told The Huffington Post in an email. “We've fixed it in the next version of the app, which is available for anyone to download as a beta today."
Symantec estimated in its blog post that a "significant portion" of the "hundreds of millions of devices" on which Facebook's Android app have been installed were affected by the bug. Mains said that because Facebook deleted the collected phone numbers after being notified of the bug, it could not estimate how many people were affected or numbers were collected.
This article has been updated to include additional information from Symantec and comment from a Facebook spokesman.