Facebook security hole leaves personal data open to easy stealing

By simply guessing your phone number — which is easily done — hackers can get access to all of your data

Andrew Griffin
Tuesday 11 August 2015 15:47
Comments
A photo taken on May 16, 2012 shows a computer screen displaying the logo of social networking site Facebook reflected in a window before the Beijing skyline
A photo taken on May 16, 2012 shows a computer screen displaying the logo of social networking site Facebook reflected in a window before the Beijing skyline

A simple hack could give criminals access to all of your Facebook data — just by guessing your mobile number.

The names, location, images and more data of users can be gathered by just guessing a phone number — a relatively straightforward process. That data could then be stolen and sold on, for use in crime and identity theft.

The hack exploits a tool that’s intended to let anyone find a Facebook user by putting their phone number into a search box. But Reza Moaiandin, technical director at Salt Agency, has found that using a computer to automatically put in numbers can let people scrape a huge amount of data on Facebook users easily.

By gathering up an entire country’s possible combinations and putting them through the search box, hackers can pick up all the Facebook user IDs of all the people using those numbers. That can then be put into Facebook’s GraphQL, the tool Facebook uses to organise its data, to pick up all the information that the site has on those people.

All of that information is publicly available. But Moaindin points out that collecting all of that data on a large scale means that it could be easily sold on — and potentially combined with other stolen data to find out much more about the people involved.

The “Who can find me?” setting that decides whether people should be able to locate people using a phone number is turned to “Everyone/public”, though it can be switched off to avoid being liable to the hack.

A spokesperson for Facebook said: "The privacy of people who use Facebook is important to us. We have strict rules that govern how developers may use our APIs to build their products, and in this instance all the information being returned is already designated to be Public.

"Everyone who uses Facebook has control of the information they share, including information on their profile and who can look them up by phone number. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and with whom they want to share it."

But Moaiandin says that Facebook should go further by “limiting the requests from a single user, and detecting patterns, before moving on to pre-encrypting all of its data”.

Moaiandin said that he had found the loophole by mistake: “I wasn’t even searching for flaws in Facebook’s security when I came across it”, he writes in his blog. He found the flaws a few months ago and decided to release it to the public when trying to tell Facebook failed, as “an attempt to catch Facebook’s attention to get this issue fixed”.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in