If you’ve got a Facebook account, chances are that you have told them an awful lot of information about yourself: your name, your location, your email address, your network of friends, your photos, your likes and dislikes… the list goes on.
And many people have told Facebook their mobile phone number as well.
But did you know that complete strangers, can search Facebook’s database for your phone number and find your profile and grab your name, profile picture and more besides?
This isn’t a new feature. I first warned about the possible privacy dangers of your mobile number not being as private as you think back in 2012 - but it seems many people are unaware or have chosen not to adjust their privacy settings.
Light is shone on the issue once again, this time by software developer Reza Moaiandin, who wrote a few lines of code that went through every possible mobile phone number in the UK, United States and Canada, and scooped up Facebook users’ names, images and further information.
Moaiandin was surprised that his script’s large number queries to the Facebook API didn’t trigger any form of blocking or throttling by the social network, and notified Facebook about what he perceived to be the risk of organised criminals using the same method to harvest innocent people’s information.
When he didn’t get a satisfactory reply, Moaiandin contacted Facebook again. At the end of July they replied, saying that they did not believe what the researcher has discovered constituted a security vulnerability.
Actually, I agree with Facebook. It isn’t a security vulnerability. But it is, potentially, a privacy issue - even though the only data accessed may be content that the user has chosen to leave ‘public’ on Facebook.
My concern would be that many Facebook users don’t understand the consequences of not tightening their privacy, and the potential ways in which that data could be abused. If Facebook cares about its community, it should perhaps do more to lead them in the right direction - perhaps ensuring that users are forced to choose whether they want to make their phone numbers publicly accessible, rather than Facebook deciding that the default should be public to the world.
Of course, Facebook has shown through its chequered history that it doesn’t really think that way.
There are, no doubt, legitimate services that query Facebook’s API very regularly, examining a large amount of data. It appears that Facebook has rate-throttling in place to prevent third-parties from polling its databases at a level that it finds uncomfortable, but that Moaiandin’s script didn’t reach those limits - even though it sounds as if he would have been able to access a large amount of data.
My reading of Moaiandin’s blog post is that either Facebook has not set the right rate-throttling levels, or that it should limit such wide access to its data to carefully approved parties rather than any Tom, Dick or Harry who wants to create an enormous database of contacts.
Even if they had eventually spotted what Moaiandin was doing, and stopped him, would he have been able to start up again from a different IP address, or at a later time, and piece together the data he had accessed at a later date?
So, if you are a Facebook user, what should you do?
Go to your Facebook privacy settings, and ensure that under “Who can look me up?” you have set “Who can look you up using the phone number you provided?” to “Friends” rather than Facebook’s default of “Everyone”.
While you’re at it, you may wish to check your other settings including “Who can look you up using the email address you provided?”.
If you do this, only your Facebook friends will be able to look you up on the site via your mobile phone number, and you have just made yourself that tiny bit more private.
Facebook stores the personal information of 1.5 billion people - data which can be immensely valuable to marketeers and criminals. To maintain the trust of its users, it should make it as difficult as possible for third-parties to scoop up even the publicly-shared information for non-approved purposes.
If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.
Hat-tip: The Guardian.
If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded: