Facebook Hacked : Software Engineer Discovers Flaw, Harvests Public User Data With Algorithm

Facebook has been urged to tighten its privacy settings after a software engineer was able to harvest data about thousands of users – simply by guessing their mobile numbers.

“Hacked” is a word that nobody wants to hear associated with Facebook, and it’s maybe a bit of an overstatement here. Software engineer Reza Moaiandin, technical director of Leeds-based Salt.agency, took note of a relatively unused Facebook feature which allows users to search for other Facebook users, using only their phone number.

 

All of the data is publicly available, but as there is no limit to the number of searches an individual user can make, the loophole could be used by cyber crooks to extract information about “millions” of users, according to the engineer Reza Moaiandin (Moaiandin), technical director of Leeds-based company Salt.agency. Writing on the company blog, he said the loophole was discovered “by mistake”:

"By using a script, an entire country’s (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details"

Moaiandin has alerted Facebook to the security flaw, and a spokesperson told him “We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse.”
 

The “Who can search for me?” setting is set to public by default, meaning that even if your mobile number is withheld on the site, it can still be used to find you using this loophole.A Facebook spokesperson told City A.M. that this is set to public so that they can more easily be found by friends, and that users' privacy was "extremely important" to the company:

"We have industry leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public."