Facebook Loophole Makes Your Phone Number a Data Hacking Tool

The hack exploits a tool that’s intended to let anyone find a Facebook user by putting their phone number into a search box. First of all, they can choose not to link their phone numbers to their Facebook profiles.

Within minutes, Facebook responded with thousands of users’ profiles. Facebook recently unveiled a privacy checkup tool which it says helps users to ensure that they are not sharing information they do not want to. It is something that Facebook users can take steps to protect themselves against, but as things stands Moaiandin says it is like “walking into a bank, asking for a few thousand customers” personal information based on their account number, and the bank telling you: “Here are their customer details'”.

“Unfortunately, for the 1.44 billion people now using Facebook, this means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering – at a time when an entire identity can be sold for as little as $5”. Through the hack, the software engineer was able to access numerous profiles’ public detail, which includes names, images, and available locations.

By default, this setting is left as accessible to “Everyone/Public”, so anyone with a number generator and access to the Facebook API (neither of which are hard to come by) could gobble up swathes of user data, unless vigilant Facebook users make the appropriate settings changes.

Moaiandin said that this flaw could be a huge phishing problem if no limit is created, and the loophole is discovered by the wrong person. Facebook reportedly dismissed his discovery and refused to call it a vulnerability.

Facebook should go further by “limiting the requests from a single user, and detecting patterns, before moving on to pre-encrypting all of its data”.

If you have added your mobile number to your Facebook account, you can manually configure how it can be used to track you down.

The “Who can search for me?” setting is set to public by default, meaning that even if your mobile number is withheld on the site, it can still be used to find you using this loophole. With a simple cross-check, he was able to identify which of the guessed phone numbers was correct.