Facebook Security Hole Allows Bulk Discovery of Personal Information

There’s a nasty little security hole (not a vulnerability according to Facebook – in case you were wondering exactly how important your privacy is) that was discovered recently. The original work seems to belong to Salt Agency, an SEO agency.

.about the hack

The flaw allows an attacker to essentially grab all of the public data about users who share their cellphone number if the attacker knows/guesses that number. Now this might not seem like a big deal on the surface, but as described in the post linked above, it allows a hacker to create a list of all possible phone numbers, and then get lots of data about the owners of those phone numbers.

By using a script, an entire country’s (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details (images, and so on).

.fixing the hack

To fix, select Settings from the padlock menu

FBFind_by_phone_Settings

Then click Privacy on the menu on the left.

The screenshot below shows the default setting:

FBFind_by_phone_default

This is why the flaw allows an attacker to get your personal information. By limiting the audience here, you can change who can see your data. While allowing only Friends to look you up by phone number is kind of silly – you can still have the benefit of allowing people you are likely to know to find you if you use the Friends of Friends setting.

FBFind_by_phone_preferred

.warning

Note that if you share your phone number, Friends, is the most restrictive setting available.

 

Leave a Reply

Your email address will not be published. Required fields are marked *