Facebook's phone search is a gold mine for scammers
If your phone number is attached to your Facebook account, chances are that complete strangers could find your profile.
That's what Bennett Haselton, a regular contributor to Slashdot, discovered after a female friend of his was being harassed via text from an unknown number. On a whim, Haselton suggested that they look up the number on Facebook. Much to his surprise, the tactic yielded the profile of the aggressor.
But he didn't stop there. Haselton was curious to see if he could pull other people's accounts—complete strangers—using the same method. After entering a random valid phone number and changing the last two digits, he came across 13 random Facebook accounts. These individuals had linked their profiles to their phone numbers, and because they had likely made that information at least somewhat public, they could easily be found by their number.
This doesn't appear to be a Facebook glitch. From the company's Data Use Policy:
"To make it easier for your friends to find you, we allow anyone with your contact information (such as email address or telephone number) to find you through the Facebook search bar at the top of most pages, as well as other tools we provide, such as contact importers - even if you have not shared your contact information with them on Facebook."
A Facebook spokesperson also confirmed this.
"The ability to search for a person by phone number is intentional behavior and not a bug in Facebook," Facebook told the Daily Dot via email.
"By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page."
But anyone with enough time on their hands can simply stumble upon that specific contact information, even if they're not friends.
I tested out Haselton's method using variants of my own telephone number and, sure enough, I came across the Facebook profiles of 7 random strangers. I replicated the experiment with a separate number, and yielded 11 more results.
Using my Google Voice number, I dialed the 18 numbers. Of those calls, five went straight to voicemail. On ten different occasions, individuals willingly confirmed their name after I asked them "who am I speaking to?" not bothering to confirm who the stranger on the other end of the line was. Only three asked for my name before proceeding to speak with me.
"I think this has non-trivial privacy implications," noted Haselton.
"[Since] the space of possible phone numbers is finite, with enough patience you could uncover every Facebook account that had an associated phone number... The phone number dictionary attack described above, is the only loophole I can think of that lets you harvest a large list of Facebook users and a means to contact them in a way that they will actually see."
The most obvious consequence that could result from someone doing this is that it gives that individual a large list of people primed for scamming.
The discovery comes at an inconvenient time for Facebook. Earlier this week, the social network giant announced Graph Search. They also confirmed that they were adding free Voice-over-IP phone calls to the Facebook Messenger app for iPhone.
Photo via Images Money/Flickr