Facebook security hole leaves personal data open to easy stealing

By simply guessing your phone number — which is easily done — hackers can get access to all of your data

Click to follow
The Independent Tech

A simple hack could give criminals access to all of your Facebook data — just by guessing your mobile number.

The names, location, images and more data of users can be gathered by just guessing a phone number — a relatively straightforward process. That data could then be stolen and sold on, for use in crime and identity theft.

The hack exploits a tool that’s intended to let anyone find a Facebook user by putting their phone number into a search box. But Reza Moaiandin, technical director at Salt Agency, has found that using a computer to automatically put in numbers can let people scrape a huge amount of data on Facebook users easily.

By gathering up an entire country’s possible combinations and putting them through the search box, hackers can pick up all the Facebook user IDs of all the people using those numbers. That can then be put into Facebook’s GraphQL, the tool Facebook uses to organise its data, to pick up all the information that the site has on those people.

All of that information is publicly available. But Moaindin points out that collecting all of that data on a large scale means that it could be easily sold on — and potentially combined with other stolen data to find out much more about the people involved.

The “Who can find me?” setting that decides whether people should be able to locate people using a phone number is turned to “Everyone/public”, though it can be switched off to avoid being liable to the hack.

A spokesperson for Facebook said: "The privacy of people who use Facebook is important to us. We have strict rules that govern how developers may use our APIs to build their products, and in this instance all the information being returned is already designated to be Public.

"Everyone who uses Facebook has control of the information they share, including information on their profile and who can look them up by phone number. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and with whom they want to share it."


But Moaiandin says that Facebook should go further by “limiting the requests from a single user, and detecting patterns, before moving on to pre-encrypting all of its data”.

Moaiandin said that he had found the loophole by mistake: “I wasn’t even searching for flaws in Facebook’s security when I came across it”, he writes in his blog. He found the flaws a few months ago and decided to release it to the public when trying to tell Facebook failed, as “an attempt to catch Facebook’s attention to get this issue fixed”.