Hacker: Yes, I CAN!!
A Security Researcher claimed "digi-crims could easily scan the population of an entire country to find targets".
Reza Moaiandin, technical director at Salt Agency, has figured out a way to exploit an important Facebook feature to gather personal data belonging to the users.
Facebook Privacy Setting That Makes Your Identity Vulnerable
If you pay attention to the security settings in your Facebook profile, you will find a privacy setting that says 'Who can look me up?', or "Who can look you up using the phone number you provided?" which has been set to 'Everyone' by default.
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.Join Now
This configuration allows you to search anyone just by entering his or her phone number; as a result, the search box in Facebook will display the profile of that person.
But, Can you imagine, How Cybercriminals can take advantage of this crucial privacy blunder?
By exploiting this default feature with a simple trick, the researcher was able to link thousands of phone numbers to respective Facebook accounts.
Moreover, this security flaw in the search facility of Facebook has recently led to data stealing of about 1.5 million Facebook users.
The "loophole" allow attackers to gather personally identifiable information (PII) from millions of users, including their names, telephone numbers, locations, images and more.
The Security Researcher used a programmatical script to generate every possible phone number combination in used Britain, US and Canada.
Basically, he has set up a phone number generator that goes through possible numbers and uses Facebook's Application Programming Interface (API) (a tool that allows developers to build apps linked to the social network) to gather facebook user IDs associated with each phone number.
Once you have users' IDs, the API returns user details that include:
- Phone number,
- First, Middle and Last name,
- Profile picture,
- Kind of phone it pertains to,
- Version of Facebook Messenger the account holder is using,
- Whether or not somebody can push data to phones.
The researcher claimed that he could probably find more information about Facebook users if he worked at it further.
Further, he quoted:
"With this security loophole, a person with the right knowledge can harvest the non-private details of the users who allow public access to their phone numbers, enabling the harvester to then use or sell the user details for purposes that the user may not be happy with," Moaiandin was quoted saying.
Facebook Can't Patch It, But You Can!
Moaiandin has alerted Facebook about this serious issue and asked them to make the Facebook APIs pre-encrypted.
However, the security loophole remains intact, allegedly leaving the social site's 1.44 billion users open to social engineering attacks and identity theft.
The researcher has contacted Facebook twice since discovering the flaw. Though, Facebook apparently doesn't consider it a vulnerability that can be abused.
According to Facebook Security Team, there are controls in place to monitor and mitigate such kind of API abuses.
The company said it has strict rules that limit how developers could use the APIs and immediate action against anyone who break them.
How to Fix Facebook Privacy Issue
Meanwhile, security measures can be taken and you can keep yourself safe from being a victim of such activities.
For this you can follow some simple steps given below:
- Do not share your phone number in your profile.
- Alternatively, Change the 'default' settings to 'Friends only'.
But, to give it a thought what does a person gain out of this act?
An attacker with malicious intent could sell the collective database of the 'personally identifiable information' in the black market, which can put a users' life at risk.
Moreover, if you are a victim of such attacks, then you should think of what the hacker's next step could be! Identity theft, financial losses, malware infections and phishing attack..and what not!