Facebook security hole leaves personal data open to easy stealing
By simply guessing your phone number — which is easily done — hackers can get access to all of your data
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.A simple hack could give criminals access to all of your Facebook data — just by guessing your mobile number.
The names, location, images and more data of users can be gathered by just guessing a phone number — a relatively straightforward process. That data could then be stolen and sold on, for use in crime and identity theft.
The hack exploits a tool that’s intended to let anyone find a Facebook user by putting their phone number into a search box. But Reza Moaiandin, technical director at Salt Agency, has found that using a computer to automatically put in numbers can let people scrape a huge amount of data on Facebook users easily.
By gathering up an entire country’s possible combinations and putting them through the search box, hackers can pick up all the Facebook user IDs of all the people using those numbers. That can then be put into Facebook’s GraphQL, the tool Facebook uses to organise its data, to pick up all the information that the site has on those people.
All of that information is publicly available. But Moaindin points out that collecting all of that data on a large scale means that it could be easily sold on — and potentially combined with other stolen data to find out much more about the people involved.
The “Who can find me?” setting that decides whether people should be able to locate people using a phone number is turned to “Everyone/public”, though it can be switched off to avoid being liable to the hack.
A spokesperson for Facebook said: "The privacy of people who use Facebook is important to us. We have strict rules that govern how developers may use our APIs to build their products, and in this instance all the information being returned is already designated to be Public.
"Everyone who uses Facebook has control of the information they share, including information on their profile and who can look them up by phone number. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and with whom they want to share it."
But Moaiandin says that Facebook should go further by “limiting the requests from a single user, and detecting patterns, before moving on to pre-encrypting all of its data”.
Moaiandin said that he had found the loophole by mistake: “I wasn’t even searching for flaws in Facebook’s security when I came across it”, he writes in his blog. He found the flaws a few months ago and decided to release it to the public when trying to tell Facebook failed, as “an attempt to catch Facebook’s attention to get this issue fixed”.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments