British software engineer Reza Moaiandin, of Salt Agency, recently posted the details of his discovery stating that he could harvest Facebook users' data on a mass scale by exploiting a little-known privacy setting that allows anyone to find a Facebook user by typing their mobile phone number into the social network's search box. The default setting on its "Who can find me?" function is turned to "Everyone/public" - meaning anyone can find another user by their mobile number, even if it is not visible on their public profile.
According to the findings even those that had set their phone number as private were now searchable as the default setting only stops those numbers from appearing in your personal profile when non-friends are viewing it. However, without making changes to your security settings anyone can create a script with possible number combinations which can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details (images, and so on).
"This could be a huge phishing problem if no limit is created, and the loophole is discovered by the wrong person," he wrote in a blog post. "Unfortunately, for the 1.44 billion people currently using Facebook, this means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering."
Mr Moaiandin told The Guardian the loophole was akin to "walking into a bank, asking for a few thousand customers' personal information based on their account number, and the bank telling you: 'Here are their customer details.' "
How to up date your Facebook security for better privacy!Facebook users can and should change their privacy settings manually to avoid this potential invasion of privacy and it doesn't take much time. In fact it only takes a few seconds and really doesn't hurt anything in the long run!
From a desktop
- Open Facebook in your browser, click on the upside down triangle at the top right, and select Settings.
- Select Privacy from the left pane.
- Find Who Can Look Me Up under Privacy Settings and Tools
- Select Who can look me up using the phone number you provided? and change it to Friends of Friends or just Friends. Just Friends is likely your best bet.
- You will also notice an option for Who can look me up using the email address you provided? I suggest doing this as well, just as a matter of extra privacy.
- In the Facebook app, tap on the hamburger icon (three lines) at the top right and find Account Settings.
- Tap on Privacy.
- Find Who Can Look Me Up under How You Connect.
- Select Who can look me up using the phone number you provided? and change it to Friends of Friends or just Friends. Here again just Friends would be the setting of choice.
- You will also notice an option for Who can look me up using the email address you provided? Again changing this is up to you but I always have it limited.
According to the reports we've seen Facebook has denied it had a "security loophole", as the accessed data was designated to be public. The site said it had strict rules on how developers may use its application programming interfaces. "The privacy of people who use Facebook is extremely important to us," a spokeswoman said further stating, "everyone who uses Facebook has control of the information they share, including information on their profile and who can look them up by phone number."
While we agree this may not technically be a 'security issue' since it is designed to be public, the fact that it is public by default certainly can make it a privacy issue for those that aren't aware of the need to change the setting.