14 DAY TRIAL // Reza Moaiandin, technical director at the UK-based Salt.agency SEO firm, has accidentally discovered a method through which the personal details of Facebook users can be harvested in bulk using simple scripts and the Facebook API.
According to Mr. Moaiandin, his method relies on querying the Facebook API using bulk phone numbers, obtained either through pre-existing phone book databases or added at random in the script.
If a Facebook account is found registered, the API server will reply with the user's Facebook ID hash, which will then be attached to that phone number.
Using Facebook’s GraphQL, hackers could then get more personal details for each Facebook ID, which they can use to build a database for carrying out phishing, ransomware, or malware distribution campaigns.
Facebook's shady privacy settings strike again
Mr. Moaiandin findings exploit a Facebook feature called "Who can find me?" which allows users to select what details they share with the public. These details are also searchable through the Facebook API.
Because the default setting for this feature is to share everything with everyone, all the users who haven't changed it are sharing details via the Facebook API, data that might not be visible in their Facebook profile.
The company was contacted by Mr. Moaiandin back in April and replied to his emails twice (check the images attached to this article). In the first email, a company representative wasn't able to reproduce his exploit, while the second employee who answered him was more preoccupied with not breaking the API rate limits than exposing user data.
According to the second email, this is not a security issue, but one that affects user privacy, and one that Facebook can easily fix.
While true that Facebook has API rate limits to prevent abuse of its developer tools, if an attacker follows Mr. Moaiandin's steps and manages to stay under the API limit, that doesn't mean they're entitled to access personal user details, nor should they be able to collect it in bulk.
Facebook's problem lies in its inherent approach to user data privacy. Because it forced a sharing setting on users, it now views that data as "public information" even if "informed" users won't see it as such.
Facebook doesn't see this as a security vulnerability
While technically the data is available via its API, Facebook should take more steps to prevent easy access to it, and if hackers do try to harvest it anyway, it should make it harder for them to do so.
As Mr. Moaiandin says in his blog post, "the good news is that Facebook should be able to fix the problem by limiting the requests from a single user, and detecting patterns, before moving on to pre-encrypting all of it’s data."
Mr. Moaiandin also demoed his findings for The Guardian, which recorded a video at the end of which a Facebook representative answered with the following statement:
"The privacy of people who use Facebook is extremely important to us. We have industry-leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public."
"Everyone who uses Facebook has control of the information they share, this includes the information people include within their profile, and who can see this information. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and who they share it with."
