The technical director of Salt.agency, Reza Moaiandin, has discovered a flaw in Facebook wherein an attacker will be able to decrypt personal details simply by putting in a phone number in the search bar. Mr. Moainandin created a coding script that generated every possible phone number combinations in UK, US and Canada. These numbers were sent to Facebook’s app-building program and he was able to gain a number of personal details of people with a Facebook account.
In a statement made to the Daily Mail, Mr. Moaiandin said, “With this security loophole, a person with the right knowledge can harvest the non-private details of the users who allow public access to their phone numbers, enabling the harvester to then use or sell on the user details for purposes that the user may not be happy with.” He also said that he had contacted Facebook with this information, but they had emailed him back saying, “We do not consider it a security vulnerability but we do have controls in place to monitor and mitigate abuse.”
However, the data that was gathered was only those which the users had made public. This has underlined the need for users to be more aware about Facebook’s privacy settings. in the About Me section, they can select which groups can see personal details such as birthdates, relationship statuses, address, and phone numbers.
This comes just a few days after Facebook terminated the internship of an Indian-origin Harvard student, Aran Khanna, after he exposed flaws in the service. According to Mr. Khanna, “My Facebook internship was cancelled after I developed an app that pointed out the privacy flaws in the popular social media’s messenger service.” According to Facebook, his app violated the user agreement by “scraping” the website.
Regardless, Facebook’s 1.44 billion users are advised to change their privacy setting as soon as possible so as to ensure that their data is protected. They should also be a lot more careful when allowing any third party app access to their Facebook account. Especially considering this isn't the first time Facebook has been criticised for its privacy settings.
you can also read Mr. Moaiandin's original blog post here.