Facebook privacy alert: Someone (else) can haul your user data away

Facebook is the number one target of hackers because of the vast amount of data it has. This feature is provided as a default setting in all accounts and even overrides the option that users might have enabled to “withold their mobile number from their public profile”. It is something that Facebook users can take steps to protect themselves against, but as things stands Moaiandin says it is like “walking into a bank, asking for a few thousand customers” personal information based on their account number, and the bank telling you: “Here are their customer details'”.

“Unfortunately for the 1.44 billion people now using Facebook, this means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering – at a time when an entire identity can be sold for as little as “, he said.

Software engineer Reza Moaiandin used an algorithm to generate thousands of phone names and then used Facebook’s API to collect thousand of profiles linked to some of those numbers.

Searching and mapping friends by simply looking up their phone numbers is a handy feature if you don’t know the email address of your friend, or if their profile is hidden from public view. A software engineer was able to access user data just by entering their mobile number.

The researcher also said that his discovery could result in significant phishing problems if Facebook does not limit mobile searches.

“Developers are only able to access information that people have chosen to make public”.

Moaiandin alerted Facebook, and the spokesperson replied with: “We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse”.

But Moaiandin says that Facebook should go further by “limiting the requests from a single user, and detecting patterns, before moving on to pre-encrypting all of its data”.

While some of the data is already publically accessible, the most worrying element is the ability to link a person to their phone number. If you really feel that passionately about your privacy, then read the terms and conditions in full, or alternatively, don’t use a social media platform that aims to share information about you.