A simple hack could give criminals access to all of your Facebook data — just by guessing your mobile number.
The names, location, images and more data of users can be gathered by just guessing a phone number — a relatively straightforward process. That data could then be stolen and sold on, for use in crime and identity theft.
The hack exploits a tool that’s intended to let anyone find a Facebook user by putting their phone number into a search box. But Reza Moaiandin, technical director at Salt Agency, has found that using a computer to automatically put in numbers can let people scrape a huge amount of data on Facebook users easily.
read more
Facebook 'friends' icon switched around to let woman come to the fore
Facebook News Feed algorithm to track how long users spend reading stories
Super-private social network launched to take on Facebook with support of Anonymous
By gathering up an entire country’s possible combinations and putting them through the search box, hackers can pick up all the Facebook user IDs of all the people using those numbers. That can then be put into Facebook’s GraphQL, the tool Facebook uses to organise its data, to pick up all the information that the site has on those people.
All of that information is publicly available. But Moaindin points out that collecting all of that data on a large scale means that it could be easily sold on — and potentially combined with other stolen data to find out much more about the people involved.
The “Who can find me?” setting that decides whether people should be able to locate people using a phone number is turned to “Everyone/public”, though it can be switched off to avoid being liable to the hack.
The 5 most common Facebook scams:
But Moaiandin says that Facebook should go further by “limiting the requests from a single user, and detecting patterns, before moving on to pre-encrypting all of its data”.
Moaiandin said that he had found the loophole by mistake: “I wasn’t even searching for flaws in Facebook’s security when I came across it”, he writes in his blog. He found the flaws a few months ago and decided to release it to the public when trying to tell Facebook failed, as “an attempt to catch Facebook’s attention to get this issue fixed”.
