Apple has patched a little-known App Store loophole that enabled developers to harvest data on iOS users’ contacts, thereby limiting third-party access to potentially unprotected sources of personal information. Previously announced Apple privacy safeguards applied to the user’s own data, but not that of their contacts, creating a treasure trove of information that could be used individually or via compositing from multiple users with contacts in common.

As explained in a new report from Bloomberg, iOS app developers have been allowed to request a user’s permission to access address book or contact data, which, if granted, enabled aggregation of multiple types of information about friends, family, and business associates — names, phone numbers, email addresses, profile photos, birth dates, home and work addresses, and information on how recently the contact was created. This information could be transferred virtually anywhere as soon as a user grants permission, without any tracking or other information being sent to Apple.

The issue is that unlike the app’s user, who has the ability to choose whether her information is shared, the contact is never asked for that permission, nor given any opportunity to withdraw it. Developers are able to sell that information to data brokers and leverage knowledge of your contacts to advertise items to you with endorsements from friends and family, akin to Facebook’s “your friends already like this product page” feature. Some developers have bulk-texted friends of users using contact information to help build user bases for their services.

Apple’s change blocks apps from contacting people using contact- or photo-gathered information, “except at the explicit initiative of that user on an individualized basis.” Developers are also required to provide a clear advance description of how the contacting message will appear to the recipient. The rules also bar developers from making, sharing, or selling databases of shared contact information, as well as using the information for previously undisclosed purposes.

But there’s no way to go back and either block or retrieve data previously shared. You can turn off the faucet going forward, but whatever’s been given to developers is already out there.