Facebook's phone search can be abused to find people's numbers, researchers say
Attackers can extract people's names and phone numbers from Facebook with brute force search attack, security researchers show
IDG News Service -
Attackers can abuse Facebook's phone search feature to find valid phone numbers and the names of their owners, according to security researchers.
The attack is possible because Facebook doesn't limit the number of phone number searches that can be performed by a user via the mobile version of its website, Suriya Prakash, an independent security researcher said Friday in a blog post.
Facebook allows users to associate their phone numbers with their accounts. If fact, a mobile phone number is required to verify any new Facebook account and unlock features like video uploading or timeline URL personalization.
When adding phone numbers in the "Contact info" section of their respective Facebook profile pages, users can choose if they want to make this information visible to the general public, only to their friends or if they want to keep it to themselves, which is a good privacy option.
Facebook also allows users to find other people on the website by searching for those people's phone numbers in international format.
Users can control who can locate them using this method through an option under "Privacy Settings" > "How You Connect" > "Who can look you up using the email address or phone number you provided?" which is set by default to "Everyone."
This means that even if you set your phone number's visibility to "Me only" on your profile page, anyone who knows your phone number will still be able to find you on Facebook unless you change the second setting to "Friends" or "Friends of friends." There is no option to prevent everyone from locating your profile using your phone number.
Since most people don't change the default value of this setting it is possible for an attacker to generate a list of sequential phone numbers within a chosen range -- for example from a specific operator -- and use Facebook's search box to discover who they belong to, Prakash said. Connecting a random phone number to a name is every advertiser's dream and these sort of lists would fetch a large price on the black market, he said.
Prakash claims that he shared this attack scenario with Facebook's security team in August and after an initial response on Aug. 31 all of his emails went unanswered until Oct. 2, when a Facebook representative responded and said that the rate at which users can be found on the website via any means, including phone numbers, is restricted.
However, the mobile version of Facebook's website -- m.facebook.com -- doesn't appear to have any search rate limitation, Prakash said.
The researcher generated numbers with U.S. and India country prefixes and created a simple proof-of-concept (PoC) macros script that searched for them on Facebook and saved the ones that were found to be associated with Facebook profiles, together with the names of their owners.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- OpenStack and Red Hat: IDC White paper Most OpenStack deployments are by public cloud providers that are early adopters of technology and use OpenStack in a do-it-yourself deployment and support...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cyberwarfare White Papers | Webcasts