Suriya Prakash had discovered a weak point of security in the well-loved social media website, Facebook. He had simply discovered that Facebook had been suggesting users to him as friends that he had in the contact list in his mobile phone. Upon doing a little research, he had found that he could search for users by their phone numbers, even random ones.
Facebook’s default privacy and search settings are set to “Everyone”. Prakash had realized that even if you didn’t explicitly have your mobile phone number posted on your profile, if you had the app downloaded on your phone, your number (and apparently everyone in your contacts) was publicly linked to your account. Suriya had purposely exploited this to Facebook and they fired back telling him that this was part of the search feature and not a fault. This puts people at risk regardless; for example: if a telemarketer or a hacker wanted to harvest cellphone numbers, a script could be written to lookup a randomly generated phone number with a real identity attached.
Other security researchers had discovered that they were able to do a search that returned a decent amount of actual phone numbers, such as 40-60 numbers out of 300 requests, through the web application. Once Facebook had admitted their fault in allowing phone numbers to be searched and exploited, they finally patched the error after months of being notified of the loophole. Facebook limits the number of returned searches of phone numbers per user by 10-30 requests.