According to online media outlet The Guardian, a software engineer was able to harvest data about thousands of users just by guessing their mobile numbers. The data collected included the names, profile pictures and locations of users who had linked their mobile number to their Facebook account, but had chosen not to make it public. Reza Moaiandin, the software engineer who got access to the information, exploited a little-known privacy setting allowing anyone to find a Facebook user by typing their phone number into the social network.
By default, the ‘Who can find me?’ setting is set to everyone/public – meaning anyone can find another user by their mobile number. This is the default setting even if that user had chosen to withhold their mobile number from their public profile.
Using an algorithm, Moaiandin generated tens of thousands of mobile numbers a second and then sent these numbers to Facebook’s application programming interface (API), a tool that allows developers to build apps linked to the social network. Within minutes, Facebook sent him scores of users’ profiles. All the information Moaiandin received was publicly available, but the ability to link the profiles to mobile numbers on such a large scale leaves the system open to abuse.
Security experts mentioned the loophole would allow hackers to build enormous databases of Facebook users for sale on internet black markets.
The developer alerted Facebook to the vulnerability in April 2015 through its “bug bounty” scheme and then again on July 2015, when a Facebook security engineer said it had measures to prevent suspicious behaviour. He also urged Facebook to introduce a second layer of encryption, as Apple and Google have in place, stating this second layer would have prevented him from finding the users’ information.
Commenting on this issue, a Facebook spokesman declared that the privacy of people who use Facebook is extremely important to them. They have industry-leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public.
According to security researcher Brian Honan, people needed to be more aware of how much information they shared online. He mentioned that the main issue is a combination of social networks not gathering and retaining as much information on people as they do, and people being more aware of the risks they face when posting so much details online.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now