Facebook users are being urged to check their privacy settings, after a software engineer discovered a way to harvest data about thousands of users by guessing their mobile phone numbers.
All it takes is access to a phone number and, using a simple number-generating algorithm, Moaiandin was able to generate thousands of positive matches which (when fed into the Facebook API for devs) gave him access to a tonne of Facebook accounts.
“Unfortunately for the 1.44 billion people now using Facebook, this means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering – at a time when an entire identity can be sold for as little as “, he said.
It’s like “walking into a bank, asking for a few thousand customers” personal information based on their account number, and the bank telling you: “Here are their customer details”.
Reza Moaiandin a technical director at Salt Agency, has found that using a computer to automatically put in numbers can let people scrape a huge amount of data on Facebook users easily.
“Through this, a hacker can then communicate with Facebook’s GraphQL to get as many details as possible, by passing the hashed ID”.
The “Who can search for me?” setting is set to public by default, meaning that even if your mobile number is withheld on the site, it can still be used to find you using this loophole. His public post was designed to encourage Facebook to heed his warnings.
The researcher says he has contacted Facebook twice since discovering it, though Facebook apparently doesn’t consider it a vulnerability that can be abused.
Facebook was alerted to the bug on 22 April and again on 28 July, but insisted that protection against this hacking technique is already in place.
“We have strict rules that govern how developers are able to use our APIs to build their products”.
“The privacy of people who use Facebook is extremely important to us”, Facebook said in a statement. This includes the information people include within their profile, and who can see this information.