Facebook's privacy settings allow for harvesting data through mobile numbers

facebook_logo

If you've added your mobile number to your Facebook account, you might want to reconsider in light of a new security exploit. A software engineer was able to access user data just by entering their mobile number. Profile pictures, names and locations were all accessible even for users who had not made their number public.

There is potential for such harvested data to be misused by malicious parties, as it provides an easy way to link a mobile number to an individual. Reza Moaiandin was able to use a special tool to quickly generate tens of thousands of numbers which, when passed through a Facebook API, fed back the associated user profiles.

As reported by the Guardian, this method of gathering data -- even if it is publicly available -- is open to abuse. Security experts have complained that Facebook had not made it hard enough for people to harvest data in this way. It is something that Facebook users can take steps to protect themselves against, but as things stand Moaiandin says it is like "walking into a bank, asking for a few thousand customers' personal information based on their account number, and the bank telling you: 'Here are their customer details'".

The software engineer has twice reported the problem to Facebook through its bug bounty program but his concerns were brushed aside. Facebook said that it already had measures in place to prevent abuse, and said of his discovery: "We do not consider it a security vulnerability".

Moaiandin disagrees, and says there is much more that could be done. He says that, like Apple and Google, Facebook should introduce an extra layer of encryption as this would obfuscate the data he was able to access. Facebook recently unveiled a privacy checkup tool which it says helps users to ensure that they are not sharing information they do not want to.

If you have added your mobile number to your Facebook account, you can manually configure how it can be used to track you down. Head to the Privacy section of your account and look for the "Who can look you up using the phone number you provided?" and make sure that it is set to something other than Everyone.

Photo credit: JuliusKielaitis / Shutterstock

One Response to Facebook's privacy settings allow for harvesting data through mobile numbers

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.