A security researcher has found a way to exploit a Facebook feature to harvest personal data belonging to thousands of users. With a simple trick that takes advantage of one of Facebook’s default privacy settings, the researcher was able to link thousands of phone numbers to Facebook accounts. Hackers with malicious intentions could replicate the procedure to collect data belonging to even more users, and then try to sell it on the black market.
According to The Guardian, the privacy issue appears to reside in Facebook’s Who can find me? setting, which is set to Everyone/public on all Facebook profiles. That means anyone entering a phone number in that field could find a person as long as that person has a Facebook account complete with phone number.
Software engineer Reza Moaiandin used an algorithm to generate thousands of phone names and then used Facebook’s API to collect thousand of profiles linked to some of those numbers.
The hack can be on a larger scale, meaning that the system is open to abuse.
Users can do two things to avoid being unknowing victims of hackers collecting Facebook data this way. First of all, they can choose not to link their phone numbers to their Facebook profiles. If that’s not an option, they can change the setting mentioned above to friends-only so the phone numbers can’t be easily traced back to their profiles
Moaiandin compared the flaw to “walking into a bank, asking for a few thousand customers’ personal information based on their account number, and the bank telling you: ‘Here are their customer details.’”
The researcher says he has contacted Facebook twice since discovering it, though Facebook apparently doesn’t consider it a vulnerability that can be abused. The company said that there are controls in place to monitor and mitigate abuse.