Wanna harvest a stranger's Facebook data? Get a mobile number and off you go

'EVERYTHING FINE' insists Zuck's ad empire


Hackers and other miscreants are able to access names, telephone numbers, images and location data in bulk from Facebook, using only a cellphone number.

The loophole was revealed by software engineer Reza Moaiandin.

Moaiandin, technical director at UK-based tech firm Salt.agency, exploited a little-known privacy setting in a feature called "Who can find me?" that is set to "Everyone/public" by default even in cases where a user has decided not to expose their mobile number via their public profile.

The upshot was that Moaiandin could not only find a Facebook user by typing their phone number into the social network, but also obtain their name, profile pictures and locations. This process can be scripted and automated to work through Facebook's API.

The information harvested is publicly available. Facebook's error comes from a failure to make it “as difficult as possible” for third parties to vacuum up publicly shared information

Security watchers are urging Facebook to tighten up its account control settings in the wake of the security flap. In the meantime, denizens of the social network can act to protect themselves.

Philip Lieberman, chief exec of privilege management firm Lieberman Software, commented: “Given that Facebook is a public-facing social network, the ability to farm its public users’ information has always been the case. In fact, many sophisticated spear phishing attacks are based on public information found on Facebook and other social networks."

"The best protection from these types of attacks is to not publish anything that you don’t want used to attack you. Don’t depend on the feature to limit access to your data to only your 'friends', since your friends will probably get compromised and your private information will be available to the attacker," he added.

"Assume that everything you post online will be available to the worst possible entities to cause you maximum grief," he said.

Facebook can easily block the automated harvesting of data using the technique exposed by Moaiandin, according to Lieberman. "There is data throttling in the Facebook API that limits the rate and amount of data that can be brought back," Lieberman explained. "Large or bulk exports are flagged at Facebook for human review."

Moaiandin first notified Facebook about the issue in April prior to going public last week. What he highlights is a privacy issue rather than a security vulnerability as such. In response, Facebook issued a statement downplaying the issue, arguing that rate limiting controls already in place would prevent harvesting.

“The privacy of people who use Facebook is extremely important to us. We have industry-leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products," said a Facebook spokeswoman.

"Developers are only able to access information that people have chosen to make public," she added.

“Everyone who uses Facebook has control of the information they share, this includes the information people include within their profile, and who can see this information. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and who they share it with," added the spokeswoman.

Instructions on how to change Facebook settings so you can't be searched for by mobile number can be found in a post on Sophos' Naked Security blog here.

Commentary on the rights and wrongs of the issue more generally from veteran security expert Graham Cluley can be found here. ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021