Facebook has been urged to enhance its privacy settings after a software engineer discovered a way to harvest data from users by guessing their phone numbers.
Reza Moaiandin discovered the flaw, which is a little known privacy setting that allows anyone to find a Facebook user by typing in their phone number. Users can even be found if their phone numbers are set to private.
Moaiandin used a simple algorithm to generate thousands of mobile numbers in one second, then sent the numbers to Facebook’s application programming interface (API). The API allows developers to build apps linked to Facebook.
Within minutes, Moaiandin had access to tons of users’ profiles. While all of the information Moaiandin received was public information, the system’s large scale suggests that the process could be easily abused.
“If Facebook cares about its community, it should perhaps do more to lead them in the right direction,” Moaiandin said. “Perhaps ensuring that users have to choose whether they want to make their phone numbers publicly accessible, rather than that being a default.
Moaiandin explained that the setting is comparable to walking into a bank and asking for a few thousand account numbers, then the bank allowing it.
The software engineer alerted Facebook about the setting in April through its bug bounty scheme, then again in July. He also encouraged the social networking site to use a second layer of encryption like the ones Apple and Google have in place. Doing so would prevent people like him from finding phone numbers at random.
“We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse,” a Facebook employee explained.
Facebook has insisted that it has strict rules to limit the abuse of its API tool and that it takes strict action against anyone who breaks them.
Moaiandin has recommended that users who don't want to be found can select "friends only" under the "Who can find me?" setting on Facebook.
Photo Credit: Metro