- Consumers claim the Apple Card is sexist 4 Years Ago
- Twitch bans Viperous for allegedly using racial slur during live stream 4 Years Ago
- ‘Rick and Morty’ takes a stab at its own offseason meta-narrative Today 7:06 AM
- Virtual reality is a surprisingly great tool for therapeutic conversations Today 7:00 AM
- What it means to be pangender Today 6:00 AM
- Why Lady Trieu’s costume is so significant in ‘Watchmen’ episode 4 Sunday 9:45 PM
- White woman calls police on her Black roommate for setting heat to 72 degrees Sunday 4:19 PM
- Nicki Minaj says she will stop using Instagram after it hides likes Sunday 2:59 PM
- Kylie Jenner denies sending ‘rise and shine’ cease-and-desist letters Sunday 2:23 PM
- Summer Walker accused of being rude to fan during meet-and-greet Sunday 1:22 PM
- Apple Store employee fired after texting customer’s personal photos to himself Sunday 12:27 PM
- How to stream Cowboys vs. Vikings on Sunday Night Football Sunday 12:00 PM
- People are p*ssed YG asked his 3-year-old to smell a bag of weed Sunday 11:04 AM
- Mommy influencer created fake account to trash her husband, rivals Sunday 10:27 AM
- How to stream Packers vs. Panthers live Sunday 9:30 AM
Engineer scrapes people’s Facebook data by searching random phone numbers
The data is public, but you might not realize how people can find it.
Facebook exposes significant amounts of your personal data, including status updates, photos, location data, and work history, to anyone who knows your phone number.
Reza Moaiandin, technical director at U.K.-based SEO firm Salt Agency, discovered what he calls a “security loophole” on Facebook that allowed him to collect public data on American, British, and Canadian users by running an anonymized database of phone numbers through a Facebook API.
That data was accessible because Facebook’s “Who can look me up?” setting, which determines who can find you using your phone number, is set to “Everyone” by default. Unless you change that setting, if someone found your phone number anywhere on the Internet, they could see certain aspects of your profile even if they had no connection to you.
Moaiandin used a script that produced thousands of random phone number combinations from three different countries and then sent those numbers to Facebook’s GraphQL. If a phone number was linked to a Facebook account with the default privacy setting, Moaiandin’s program spit out personal public data about that person.
So why does this matter if the data is already public?
“A person with the right knowledge can harvest the non-private details of the users who allow public access to their phone numbers, enabling the harvester to then use or sell on the user details for purposes that the user may not be happy with,” Moaiandin explained in an email with the Daily Dot.
Data harvesters can sell personal information they’ve scraped from social and e-commerce sites, either for fake Likes on social media or for more nefarious purposes like identity theft.
Reza Moaiandin/Salt Agency
Facebook, for its part, does not consider this discovery to be a bug. Moaiandin said that he reached out to Facebook twice before the company said “we do not consider it a security vulnerability” because all the data collected is public.
Facebook also said that it does have controls in place to monitor API abuse, including rate throttling, which would limit the requests from one user. Moaiandin, however, didn’t hit that rate limit, and he said that it’s possible to get around such restrictions by creating multiple fake accounts.
Facebook would not tell the Daily Dot what its rate limits are, and the developer documentation doesn’t list precise limits either. It does explain that there are three different types of throttling for Graph API calls. Theoretically, this would help to prevent the kind of mass collection of data that Moaiandin described.
Facebook is not worried about this so-called loophole. A spokesperson sent the following statement to the Daily Dot.
The privacy of people who use Facebook is extremely important to us. We have strict rules that govern how developers may use our APIs to build their products, and in this instance all the information being returned is already designated to be Public.
Everyone who uses Facebook has control of the information they share, including information on their profile and who can look them up by phone number. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and with whom they want to share it.
Although this information is public already, this technical workaround makes it easy for people to collect data en masse. It’s a tricky balance, however, because Facebook needs to provide public data to developers so that users can access things like apps and other services built using the company’s APIs.
Moaiandin explained how Facebook could further secure the data he found to prevent copycats with more sinister motivations.
“Facebook should pre-encrypt its private API communications so its [sic] more difficult to find these security loopholes and potentially look into strengthening their API rate limits and security algorithms,” he said.
To avoid winding up in a data dump like this one, you can go to your Facebook privacy settings and change the privacy setting that allows people to search for you by phone number from “Everyone” to “Friends.”
While Facebook might not be concerned with Moaiandin’s discovery, the potential data grab illustrates once again how crucial it is to be aware of your privacy settings.
If you haven’t taken a look at your settings recently, now might be a good time to do a privacy checkup. Make sure that the only material you’re sharing publicly is information you’d be comfortable seeing on a list of Facebook users.
H/T The Guardian | Illustration by Max Fleishman
Selena Larson is a technology reporter based in San Francisco who writes about the intersection of technology and culture. Her work explores new technologies and the way they impact industries, human behavior, and security and privacy. Since leaving the Daily Dot, she's reported for CNN Money and done technical writing for cybersecurity firm Dragos.