What's new

Security flaw in Facebook exposes user phone numbers

ebenzunlimited

Moderator
Suriya Prakash, an Indian Security Researcher has discovered a serious flaw in the facebook that allows scammers to get phone numbers of millions of Facebook's users.

If you are one of those person who say proudly i have made my number as private so i am safe, then you must read this news before shouting.

Usually, most of users change the privacy settings in the "Contact info" section in order to hide their mobile numbers from others but they are fail to realize that there is another option that expose their numbers.

In the "How You Connect" section , there is an option for "Who can look you up using the email address or phone number you provided?". By default, it is set to "Everyone".
facebook-security-flaw.jpg

This allows people to find the Facebook profile by entering phone numbers.  A legitimate users will use this feature to find their friends in the Facebook.  But Cyber Criminals can exploit this feature to get the phone number and corresponding username.

According to researcher, a simple brute-force script can exploit this feature and save phone numbers along with username.  But "Rate limiting on finding users" can prevent this brute-force attack.

Unfortunately, the mobile version of Faebook fails to do that. To demonstrate the bug, he run the script and extract number of phone numbers with username. He also published few extracted information.

He claimed that a large botnet with better script can get the full list of username and phone numbers.

The expert says that he has reached out to Facebook more than five times and provided them with all the details of the exploit in an attempt to get the flaw fixed, but since they haven't acknowledged the existence of the bug he decided to make everything public.

"So to protect yourself against this, change your settings to ?My friends? and ask Facebook to provide an ?Only me option? and make it such that it is the default setting for all users!." Researcher concluded in his post.
 
Top