Facebook has come under fire for lax user data security, as a software engineer was able to extract personal information about thousands of users from the social media company.
With thousands of users’ names, photos, location settings and phone numbers leaking out through a security loophole, Facebook has been called upon to tighten its privacy settings.
The data was harvested using a little-known search feature which allows you to search for any Facebook user using only their phone number.
A software engineer discovered this feature and, keen to explore it, wrote an algorithm that generated thousands of numbers automatically. Sending these numbers through Facebook’s application programming interface (API), user profiles and personal data soon began pouring in.
All of the data is publicly available, but as there is no limit to the number of searches an individual user can make, the loophole could be used by cyber crooks to extract information about “millions” of users, according to the engineer Reza Moaiandin, technical director of Leeds-based company Salt.agency. Writing on the company blog, he said the loophole was discovered “by mistake”:
By using a script, an entire country’s (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details
Moaiandin has alerted Facebook to the security flaw, and a spokesperson told him “We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse.”
The “Who can search for me?” setting is set to public by default, meaning that even if your mobile number is withheld on the site, it can still be used to find you using this loophole.
A Facebook spokesperson told City A.M. that this is set to public so that they can more easily be found by friends, and that users' privacy was "extremely important" to the company:
We have industry leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public.