Technoglitch
Core Member
Hackers and other miscreants are able to access names, telephone numbers, images and location data in bulk from Facebook, using only a cellphone number.
The loophole was revealed by software engineer Reza Moaiandin.
Moaiandin, technical director at UK-based tech firm Salt.agency, exploited a little-known privacy setting in a feature called "Who can find me?" that is set to "Everyone/public" by default even in cases where a user has decided not to expose their mobile number via their public profile.
The upshot was that Moaiandin could not only find a Facebook user by typing their phone number into the social network, but also obtain their name, profile pictures and locations. This process can be scripted and automated to work through Facebook's API.
The information harvested is publicly available. Facebook's error comes from a failure to make it “as difficult as possible” for third parties to vacuum up publicly shared information
Security watchers are urging Facebook to tighten up its account control settings in the wake of the security flap. In the meantime, denizens of the social network can act to protect themselves.
Philip Lieberman, chief exec of privilege management firm Lieberman Software, commented: “Given that Facebook is a public-facing social network, the ability to farm its public users’ information has always been the case. In fact, many sophisticated spear phishing attacks are based on public information found on Facebook and other social networks."
"The best protection from these types of attacks is to not publish anything that you don’t want used to attack you. Don’t depend on the feature to limit access to your data to only your 'friends', since your friends will probably get compromised and your private information will be available to the attacker," he added.
"Assume that everything you post online will be available to the worst possible entities to cause you maximum grief," he said.
Facebook can easily block the automated harvesting of data using the technique exposed by Moaiandin, according to Lieberman. "There is data throttling in the Facebook API that limits the rate and amount of data that can be brought back," Lieberman explained. "Large or bulk exports are flagged at Facebook for human review."
Wanna harvest a stranger's Facebook data? Get a mobile number and off you go • The Register
The loophole was revealed by software engineer Reza Moaiandin.
Moaiandin, technical director at UK-based tech firm Salt.agency, exploited a little-known privacy setting in a feature called "Who can find me?" that is set to "Everyone/public" by default even in cases where a user has decided not to expose their mobile number via their public profile.
The upshot was that Moaiandin could not only find a Facebook user by typing their phone number into the social network, but also obtain their name, profile pictures and locations. This process can be scripted and automated to work through Facebook's API.
The information harvested is publicly available. Facebook's error comes from a failure to make it “as difficult as possible” for third parties to vacuum up publicly shared information
Security watchers are urging Facebook to tighten up its account control settings in the wake of the security flap. In the meantime, denizens of the social network can act to protect themselves.
Philip Lieberman, chief exec of privilege management firm Lieberman Software, commented: “Given that Facebook is a public-facing social network, the ability to farm its public users’ information has always been the case. In fact, many sophisticated spear phishing attacks are based on public information found on Facebook and other social networks."
"The best protection from these types of attacks is to not publish anything that you don’t want used to attack you. Don’t depend on the feature to limit access to your data to only your 'friends', since your friends will probably get compromised and your private information will be available to the attacker," he added.
"Assume that everything you post online will be available to the worst possible entities to cause you maximum grief," he said.
Facebook can easily block the automated harvesting of data using the technique exposed by Moaiandin, according to Lieberman. "There is data throttling in the Facebook API that limits the rate and amount of data that can be brought back," Lieberman explained. "Large or bulk exports are flagged at Facebook for human review."
Wanna harvest a stranger's Facebook data? Get a mobile number and off you go • The Register
