Independent Security Researcher Exploits Facebook Security Loophole That Leaked User’s Cellphone Numbers

Suriya Prakash had discovered a weak point of security in the well-loved social media website, Facebook. He had simply discovered that Facebook had been suggesting users to him as friends that he had in the contact list in his mobile phone. Upon doing a little research, he had found that he could search for users by their phone numbers, even random ones.

Facebook’s default privacy and search settings are set to “Everyone”. Prakash had realized that even if you didn’t explicitly have your mobile phone number posted on your profile, if you had the app downloaded on your phone, your number (and apparently everyone in your contacts) was publicly linked to your account. Suriya had purposely exploited this to Facebook and they fired back telling him that this was part of the search feature and not a fault. This puts people at risk regardless; for example: if a telemarketer or a hacker wanted to harvest cellphone numbers, a script could be written to lookup a randomly generated phone number with a real identity attached.

Other security researchers had discovered that they were able to do a search that returned a decent amount of actual phone numbers, such as 40-60 numbers out of 300 requests, through the web application. Once Facebook had admitted their fault in allowing phone numbers to be searched and exploited, they finally patched the error after months of being notified of the loophole. Facebook limits the number of returned searches of phone numbers per user by 10-30 requests.

Facebook lists user phone numbers for all to see
Facebook patches security hole that allowed mass harvesting of phone numbers
Facebook Privacy: A Bewildering Tangle of Options


10 thoughts on “Independent Security Researcher Exploits Facebook Security Loophole That Leaked User’s Cellphone Numbers

  1. I wondered why so many strangers were calling me…haha but I’m surprised that this problem was not confronted earlier. This is obviously a major problem and it makes me very worried about logging onto Facebook from my phone, or even listing my number on my profile.

    • I’ve never put my phone number explicitly on the site itself, or added it as a security feature.. What got me was that if the app was downloaded on my phone, it was able to link my number and my contacts to my account where there was no security in who sees it.

  2. Facebook is not a trusted place to keep private info in I guess. I’ve never trusted it and I don’t think I’ll do that one day. Even after the timeline thing, it becomes worse and worse. Also, I have no idea what they changed the privacy setting options in the new version of FB !!

    • I agree nobody should keep private info such as cell phone numbers or email on Facebook, but people are not the smartest things out there and as such do stupid things. Also, I can’t see what they changed either. FFS Facebook needs to stop changing their privacy settings.

      • Ever since Facebook was sold publicly, it’s been going downhill. It’s now a huge datamine for the highest bidder. I agree, keeping your private information private is the best way to go.

  3. I remember when they made the huge shift from the default settings. I actually took the time to change most of my settings and it’s pretty impossible to find me by google now, and I don’t have a Facebook app because I really don’t care about Facebook that much… (and the app sucks and drains my battery)

  4. Right then. App deleted. thanks for the heads up.

    Not that it does me much good. I’m the first two pages of a google search for me. Pretty much hosed as far as keeping a low profile now. Still, the phone number? That’s low. Who’s even using that information? Telemarketers?

    • I was always wondering how long we would be able to hide behind a cellphone number because they’re not public information. Even further, if you are on someone else’s phone plan, you’re more invisible. That can be a good or a bad thing.

      As far as Google, it’s wise to take precautionary measures to ensure that the information that’s returned in your search results is fairly safe for the Internet. I’ve gone through and had things removed to make for more anonymity. With unique names such as yours and mine, this is crucial. Having some online presence is a good thing, but full exposure is detrimental to your name and other things such as possible employers (yes, they do Google searches on future employees). I’m rambling, sorry.

      As far as who uses the information, the articles I read said telemarketers and people who are good enough to obtain the information to sell it off to the highest bidders (namely, telemarketers). I would imagine if someone, say a bill collector had enough money, (we all know they go to great measures–including spending more money trying to get a hold of you than the actual debt is worth; I’ve heard stories) they could buy a database of names and numbers and the privacy issues would be out of control. Legislation in privacy and security is highly lacking. It seems when something is proposed, it violates privacy in the name of security. Now how does that Ben Franklin quote go.. “Those who give up freedom for security deserve neither”.

  5. just thinking that Facebook can take your phone number if you have the app is kinda scary. I mean if an app can get your phone number what else could someone get if they were actually trying to get information from people.

    • Something about FaceBook always seemed a little shady.. Free database for the highest bidder! In that case, FB is free and thus you forfeit the right to privacy. I’m not sure if that is entirely true, however I don’t doubt it.

Comments are closed.