Facebook two-factor authentication spams users via SMS

Facebook just can't catch a break these days, which is probay nothing unexpected for being one of the world's biggest social networks. It is involved in one privacy issue after another, not to mention lawsuits springing from those. This latest could definitely be added to the latter if some law firm takes interest. Users are reporting they are receiving SMS notifications about Facebook posts without them agreeing to it. But more worryingly, Facebook seems to have used the phone number users have connected to the network's two-factor authentication system.

Two-factor authentication, or 2FA for short, often uses a phone number, mobile app, or email for sending a PIN to very your login. Considering 2FA is a tool for security, the last thing you'd expect it to use that phone number or email to send you unsolicited information, a.k.a. spam. Facebook might not agree.

Software engineer Gabriel Lewis noticed that he was receiving text messages from Facebook when his friends posted something, even when he never set SMS notifications up. To his shock, he realized that the number Facebook was sending these notifications to the number that he used for two-factor authentication. To add insult to injury, replying to the SMS sender causes that message to automatically be posted on the user's timeline. Since the news broke out, multiple users have confirmed the situation.

Like the mythical Hydra, this issue has multiple heads. None of the users set up SMS notifications. Facebook didn't explicitly ask the user's permission to send them such messages, which is illegal in some jurisdictions. There's the fact that Facebook is using the phone number for a different purpose other than 2FA, and that it has connected that number to the user's timeline. The working theory at the moment is that Facebook connected the 2FA phone number with its system for posting via SMS and receiving notifications through the same, a feature it enables in some markets where cellular data connections are not as prevalent or affordable.

That, however, doesn't exactly explain why Facebook did so. A Facebook representatively expertly dodged admitting there is an issue and simply said that they're investigating the matter. The rep further explains that Facebook gives users control over their notifications, though apparently not as much. And finally, Facebook's 2FA can also use an authenticator app instead of a phone number so it really isn't forcing you to give it your phone number. But in case you make the mistake of doing so (the phone number is the first option users will see), you might be implicitly giving it permission to spam you.

VIA: The Verge