Hackers and other miscreants are able to access names, telephone numbers, images and location data in bulk from Facebook, using only a cellphone number.
The loophole was revealed by software engineer Reza Moaiandin.
Moaiandin, technical director at UK-based tech firm Salt.agency, exploited a little-known privacy setting in a feature called "Who can find me?" that is set to "Everyone/public" by default even in cases where a user has decided not to expose their mobile number via their public profile.
The upshot was that Moaiandin could not only find a Facebook user by typing their phone number into the social network, but also obtain their name, profile pictures and locations. This process can be scripted and automated to work through Facebook's API.
The information harvested is publicly available. Facebook's error comes from a failure to make it “as difficult as possible” for third parties to vacuum up publicly shared information
Security watchers are urging Facebook to tighten up its account control settings in the wake of the security flap. In the meantime, denizens of the social network can act to protect themselves.
Philip Lieberman, chief exec of privilege management firm Lieberman Software, commented: “Given that Facebook is a public-facing social network, the ability to farm its public users’ information has always been the case. In fact, many sophisticated spear phishing attacks are based on public information found on Facebook and other social networks."
"The best protection from these types of attacks is to not publish anything that you don’t want used to attack you. Don’t depend on the feature to limit access to your data to only your 'friends', since your friends will probably get compromised and your private information will be available to the attacker," he added.
"Assume that everything you post online will be available to the worst possible entities to cause you maximum grief," he said.
Facebook can easily block the automated harvesting of data using the technique exposed by Moaiandin, according to Lieberman. "There is data throttling in the Facebook API that limits the rate and amount of data that can be brought back," Lieberman explained. "Large or bulk exports are flagged at Facebook for human review."
Moaiandin first notified Facebook about the issue in April prior to going public last week. What he highlights is a privacy issue rather than a security vulnerability as such. In response, Facebook issued a statement downplaying the issue, arguing that rate limiting controls already in place would prevent harvesting.
“The privacy of people who use Facebook is extremely important to us. We have industry-leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products," said a Facebook spokeswoman.
"Developers are only able to access information that people have chosen to make public," she added.
“Everyone who uses Facebook has control of the information they share, this includes the information people include within their profile, and who can see this information. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and who they share it with," added the spokeswoman.
Instructions on how to change Facebook settings so you can't be searched for by mobile number can be found in a post on Sophos' Naked Security blog here.
Commentary on the rights and wrongs of the issue more generally from veteran security expert Graham Cluley can be found here. ®