After someone found a security breach that exposed users’ phone numbers, Facebook confirmed that it has patched the hole. According to Computer World, independent security researcher Suriya Prakash found that Facebook’s search-by-phone-number function was heavily flawed, allowing people to easily harvest phone numbers.
Facebook traditionally asks users to provide their phone numbers for additional security, also allowing users to search for friends by their digits. However, Prakash found a hole in this program, which easily allowed hackers to access thousands of numbers to sell to telemarketers or use for other devious reasons.
He said he first contacted Facebook about this issue more than one month ago, but he hadn’t really gotten anywhere with his claim until now.
Prakash posted about the issue, and subsequent correspondence with Facebook, on his blog:
I also calculated that It would take a person with a large enough botnet (100k ) and a slightly better script (tylers will do the JOB) just a couple of days to download the ENTIRE Username:Phonenumber list of Facebook’s 600 million users who have mobile! Out of which at least 500 million would be vulnerable.
Connecting a person’s phone number to a name is what every advertiser dreams of, and these sort of lists would fetch a LARGE price in the black market. And would also be a HUGE breach of privacy. So to protect yourself against this, change your settings to “my friends” and ask Facebook to provide an “only me option” and make it such that it is the default setting for all users.
Prakash urged users to change settings so that if a phone number is on their profiles, it an only be seen by themselves.
The ability to search for a person by phone number is intentional behavior and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the privacy settings page. Facebook has developed an extensive system for preventing the malicious usage of our search functionality, and the scenario described by the researcher was indeed rate-limited and eventually blocked. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks.
Readers: Do you have your phone number tied to your Facebook account? If so, do you have the proper privacy settings?
Image courtesy of Shutterstock.