Using a simple algorithm, Moaiandin generated tens of thousands of mobile numbers a second and then sent these guesses to Facebook’s application programming interface (API).
Advertisement
Facebook Inc (NASDAQ:FB) has been besieged with requests and demands from concerned users to further tighten its “privacy settings” after news filtered out that a software engineer Reza Moaiandin has revealed how he was able to get access to “names, profile pictures and locations of users who had linked their mobile number to their Facebook account”.
“Unfortunately for the 1.44 billion people now using Facebook, this means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering – at a time when an entire identity can be sold for as little as “, he said.
“If Facebook cares about its community, it should perhaps do more to lead them in the right direction – perhaps ensuring that users have to choose whether they want to make their phone numbers publicly accessible, rather than that being a default”, said computer security analyst, Graham Cluley.
Both Moaiandian and other security researchers have called on the social network to implement a two-step encryption layer that would have prevented Moaiandian from exploiting the “Who can find me?” privacy setting.
“This could be a huge phishing problem if no limit is created, and the loophole is discovered by the wrong person”, he wrote in a blog post. Mr. Moaiandin submitted the discrepancy to Facebook through its “bug bounty” program, but still opted to go public with the results, after testing his theory.
We are reaching out to Facebook for comments on why this is not considered a vulnerability.
“We have strict rules that govern how developers are able to use our APIs to build their products”.
Many users are not even aware they ARE “sharing” their mobile number in this way.
Advertisement
A Facebook spokesperson added that “everyone who uses Facebook has control of the information they share”, and developers are only able to access information that “people have chosen to make public”.
