A security researcher has developed an algorithm that exploits a flaw in a Facebook default privacy setting to obtain cell phone numbers linked to Facebook accounts and then get information associated with those accounts.
After discovering that the Who Can Find Me? feature on Facebook, which helps someone find a member of the social media company's community by typing in a phone number, defaulted to a public setting, software engineer Reza Moaiandin, co-founder of SALT.agency, created the algorithm that generated tens of thousands of phone numbers, which were then sent to a Facebook application programming interface (API). Moaiandin announced his findings, last Tuesday, on his company's blog.
What the researcher got back was numerous user profiles, each with an identification number that could be used to obtain information such as the user's full name, public profile information, phone make and messenger type, according to the Guardian. The API only sent publicly available information but Moaiandin said there is still room for abuse.
“A person with the right knowledge can harvest the non-private details of the users who allow public access to their phone numbers,” Moaiandin told SCMagazine.com via Monday email correspondence. He added that the attacker could then sell the information to make available for unsolicited calls.
The researcher was not able to access account information from accounts when user's had their phone number discovery to set to Non-public.
Moaiandin said in the blog that he alerted Facebook twice earlier this year through its bug bounty program but the social media company responded that it didn't consider the feature a vulnerability. Moaiandin also wrote that Facebook explained there are controls in place to monitor and mitigate abuse but the researcher says there are ways around these measures such as using multiple accounts.