Facebook users are being urged to check their
privacy settings, after a software engineer discovered a way to harvest
data about thousands of users by guessing their mobile phone numbers.
The software engineer, Reza Moaiandin, explained how he was able to
obtain the names, profile pictures and locations of users by exploiting a
little-known privacy setting that allows anyone to find a Facebook user
by typing their phone number into the search bar.
This "Who can look me up?"
setting is set to "Everyone" by default, meaning that that anyone can
find another user by their mobile number – even if the number is not
visible on their public profile – unless that user has changed their
privacy settings manually.
Mr
Moaiandin used a simple algorithm to generate thousands of possible
mobile numbers in the US, the UK and Canada, and then ran these through a
Facebook application programming interface (API) to find out which were
associated with Facebook accounts.
Once these accounts were identified, he was able to harvest more
information from those users' profiles. Although all of the information
was publicly available, Mr Moaiandin said the ability to link Facebook
profiles with mobile numbers on such a large scale leaves the system
open to abuse.
"This could be a huge
phishing problem if no limit is created, and the loophole is discovered
by the wrong person," he wrote in a blog post.
"Unfortunately, for the 1.44 billion people currently using Facebook, this means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering."
Mr Moaiandin reported the issue to Facebook in April, and again in July, but a Facebook security engineer said the company did not consider it a security vulnerability.
A Facebook spokesperson added that "everyone who uses Facebook has control of the information they share", and developers are only able to access information that "people have chosen to make public".
Last month, Facebook introduced a feature that allows users to easily silence annoying friends in their news feeds, without actually "unfriending" them.
Users can also unfollow any page or group that they have seen in their news feed over the past week, if they no longer want to see their updates.
"Unfortunately, for the 1.44 billion people currently using Facebook, this means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering."
Mr Moaiandin reported the issue to Facebook in April, and again in July, but a Facebook security engineer said the company did not consider it a security vulnerability.
A Facebook spokesperson added that "everyone who uses Facebook has control of the information they share", and developers are only able to access information that "people have chosen to make public".
How to protect yourself
If you're worried about hackers harvesting your Facebook data in this way, here's how to stop people findinding you on Facebook using your mobile number:- Click on the downward arrow in the top right corner of the taskbar
- Select "Settings"
- Select "Privacy" from the menu on the left
- Go down to "Who can look you up using the phone number you provided?"
- Click on "Edit" and select "Friends"
Last month, Facebook introduced a feature that allows users to easily silence annoying friends in their news feeds, without actually "unfriending" them.
Users can also unfollow any page or group that they have seen in their news feed over the past week, if they no longer want to see their updates.
No comments:
Post a Comment