Hacker says he can get phone numbers on Facebook which are not supposed to be public

A security researcher is threatening to go public with a 'privacy leak' that Facebook thinks of as a feature instead of a flaw.

It’s been known for years that anyone can find out your phone number if you gave it to Facebook and didn’t lock down your privacy settings, but a security researcher has claimed there is a way to find phone numbers which are not set to “public” on Facebook accounts.

Belgian security researcher Inti De Ceukelaire said he discovered he could exploit Facebook in order to get hold of cell phone numbers which are not supposed to be publicly visible.

[To comment on this story, visit Computerworld's Facebook page.]

Please keep in mind that most of this news required using translations to read it in English and that can mangle quotes. De Ceukelaire said he was able to “identify the mobile phone numbers of top politicians and Flemish celebrities through their Facebook profile. This involved numbers associated with that profile, but normally not visible publicly.” To prove his point, he pulled up the phone number of Belgium’s Interior Minister Jan Jambon via his Facebook profile and then did the same thing for other politicians and celebrities.

“For clarity, I could find out his number on his account not vice versa," he said according to a Google-translated version. The following translation is even more confusing. “Roughly, I think you get the number 20 percent of the Flemish people can find that way. Of all the people who have their mobile number linked to their profile goes to the 80 percent.” That likely didn't clear up any already murky understanding of the problem.

He “warned” Facebook twice about the security issue, saying he will go public with it if Facebook doesn’t make changes. But to Facebook’s way of thinking, this is not a flaw but a feature. Facebook directed him to documentation about how to control who can search for you via your phone number or email address. Yet De Ceukelaire claims it is a serious privacy leak, being that phone numbers which are not set to be displayed by the public can be found.

De Ceukelaire has already reported the problem to the police and is giving Facebook another chance to fix the problem before he goes public.

He tweeted Facebook’s response after he reported the security flaw.

Facebook claims being able to find phone numbers is feature not flaw Inti De Ceukelaire

Lead Stories, which currently has the only English version of this story, reported, “According to Facebook it would take too many tries to find out any useful information by abusing the search function and they are already countering this by rate limiting the number of requests users can make. It would take months to try all phone numbers according to Facebook. De Ceukelaire says his actual method only takes 30 minutes for a single account.”

The problem of being able to look up a person on Facebook via reverse phone number search was pointed out back in 2012. It didn’t matter if the phone number was set to be visible by “only me,” and the only way to prevent it was by tweaking the privacy settings. Facebook made some changes, so that only a limited number of reverse lookups could come from a specific IP address; that happened after a security researcher looked up thousands of random phone numbers and harvested the strangers’ information.

Yet a few years later, Tech Insider suggested using Facebook instead of Google when searching to identify unknown callers and texters. Even if the privacy settings are locked down, there is a chance of phone numbers being listed in really old and accessible posts.

Without De Ceukelaire releasing the details of how he “exploited” Facebook to pull off this privacy leak, it is unclear if it is a new method. This is not the first-time Facebook has blown him off when he reported a security flaw. Facebook gave him the same “feature not flaw” reply before, since De Ceukelaire is the same guy who explained that “links sent privately through Messenger can be read by anyone.” By anyone, he meant any Facebook developers or anyone making the right API call could then spy on private links shared via Facebook Messenger.

De Ceukelaire went public with that information in June 2016 after Facebook security told him it was a “publicly-documented and intentional behavior.” Later however, after the issue gained some unfavorable press, Facebook decided to fix the problem.

At any rate, you should check your privacy settings on Facebook to see if you have your phone number listed and if you allow “Everyone,” “Friends of friends” or just “Friends” to look you up via the phone number or email address that you handed over to Facebook. If De Ceukelaire goes public with his method, then it would be best to see what he advises to keep your phone number private.

Copyright © 2017 IDG Communications, Inc.

8 highly useful Slack bots for teams
  
Shop Tech Products at Amazon