Anyone with an email address can get into Facebook and WhatsApp law enforcement portals, designed for law enforcement agents to file requests for user data.
Getting into the two portals doesn't grant people access to any user information, nor any sensitive information about the company. But the portals are not designed to filter email addresses in any way, leaving the door open to spammers to freely access the portals and send fake requests.
Last week, security researcher Jacob Riggs discovered that he could get access to the two portals with any email address. All he needed to do was enter his email address, submit it to the portals, and then click on a confirmation link he received in his inbox.
Once he did that, he could request records using the forms below.
Motherboard was able to reproduce Rigg's findings.
Riggs reported the issue to Facebook, thinking it was due to a design flaw that needed to be fixed. Facebook, however, told Riggs and Motherboard that this was a feature, not a bug.
"Dedicated teams from Facebook and WhatsApp carefully review each and every law enforcement request to ensure we only respond to valid legal processes required by applicable law. While we maintain policies to prevent spam abuse of the online request system, we have chosen to allow a wider aperture at the registration step because we conduct a manual review of every request that comes to our company," a Facebook spokesperson said in a statement. "In many cases, requests involve real-time emergencies and we would prefer to scrutinize access requests manually rather than automatically reject an unfamiliar e-mail domain like the one the security researcher used."
The spokesperson added that the system does reject some email domains and has other rules to prevent spam. In other words, Facebook prefers to let anyone submit a request and then check that it's real and legal, rather than block them with an automated system or require agents to register.
"I guess it's analogous to a minor trying to get into a nightclub. Their 'basic validation' is the door staff screening customers at the entrance. If a minor somehow gains entry, they don't consider it a security issue, as the bar staff will still check their ID when they try to order alcohol," Riggs said. "In this context, they seem confident their bar staff would recognise a fake ID."
Do you work at WhatsApp or Facebook, did you used to, or do you know anything else about the company? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Wickr at lorenzofb, OTR chat at email@example.com, or email firstname.lastname@example.org.
In any case, both Facebook and Instagram's portals include a note to discourage potential spammers, warning them that only "governmental entities authorized to obtain evidence in connection with official legal proceedings" can file requests.
"Unauthorized requests will be subject to prosecution," the note reads. "By requesting access you are acknowledging that you are a government official making a request in official capacity."
Google's law enforcement portal, for comparison, only allows "verified" law enforcement agents to submit user data, according to the company's site. In fact, Riggs could not get into the Google portal using his personal email address.
Tech companies routinely receive and process legitimate data requests through these portals. In its latest transparency report, which includes data requests for Facebook, Facebook Messenger, Instagram, WhatsApp, and Oculus, and which covers the last six months of 2019, the company revealed that it had received 140,875 requests for user data.