500 million customers might be affected by the flaw
Security researcher Suriya Prakash claims he identified a serious flaw in the way Facebook protects its customers’ phone numbers.The expert highlights the fact that in the “Contact Info” section, users can enter their phone numbers, but make sure that no one can see them by choosing the “Only Me” option. However, there is another privacy setting which exposes phone numbers.
In the “How You Connect” section of the privacy settings section there is an option for “Who can look you up using the email address or phone number you provided.” The problem is that this parameter is set to “Everyone” by default.
Even more worrying is the fact that there isn’t an option to fully restrict such “lookups.” The only available variants are “Everyone”, “Friends of Friends” and “Friends.”
The researcher learned that this flaw could be leveraged to collect the usernames and phone numbers of random members.
He immediately informed Facebook of this issue, but the social network’s representatives didn’t seem to fully comprehend the risks posed by the privacy flaw. They also pointed out that users are responsible for ensuring that they can't be found based on their phone numbers.
Facebook informed Suriya that the attack could be mitigated with “rate limiting on finding users via any means, including phone numbers,” but the expert claims that the “rate limiting” can be easily bypassed by utilizing the mobile version.
To demonstrate his findings, the researcher has developed a “macros script” which reads and saves the names and associated phone numbers of random users. He only published around 800 record sets, but he claims that an attacker with a large botnet could obtain the usernames and numbers of all the affected customers in only a couple of days.
According to the expert’s calculations, around 500 million users could be exposed to this type of attack, because of that “Everyone” default setting.
“Connecting a person’s phone number to a name is what every advertiser dreams of and these sort of list would fetch a LARGE price in the black market. And would be a HUGE breach of privacy,” Suriya said.
He told Softpedia in an email that it would be possible for an attacker to obtain the details of individuals from a particular location based on the area codes.
The expert says that he has reached out to Facebook more than five times and provided them with all the details of the exploit in an attempt to get the flaw fixed, but since they haven't acknowledged the existence of the bug he decided to make everything public.
Until Facebook properly addresses this issue and adds the equivalent of an “Only Me” option, he advises users to ensure that the privacy setting is configured so that only Friends can look up their email addresses and phone numbers.