Reza Moaiandin said in a recent blog post that the “loophole” allows attackers to gather personally identifiable information from millions of users, including their names, telephone numbers, locations, images and more.
Moaiandin says that he discovered the issue a few months ago and posted about it last week in an attempt to catch Facebook’s attention and get it fixed.
The Guardian posted a video in which the developer shows how he exploited the API:
Basically, he set up a phone number generator that goes through possible numbers and calls Facebook’s API to gather IDs associated with each phone number.
Each Facebook ID provides details of the user.
Once you have a user ID, the API returns user details: phone number; what kind of phone it pertains to; profile pictures; first, middle and last names; what version of Messenger the account holder is using; and whether or not somebody can push data to phones.
He could probably find more if he worked at it further, he said.
Moaiandin says he shouldn’t be able to get that info: that Facebook should, rather, “pre-encrypt” the data.
When I'm trying to get these details, I shouldn't be able to ... sniff these details. Facebook should pre-encrypt it so I can't get that ID and I can't see those personal details.
Facebook, however, doesn’t think the issue needs fixing, seeing as all information that Moaiandin managed to get hold of was set to be visible to ‘Public’ and all users he found had no restrictions on who could search for them by phone number.
In an emailed statement, a Facebook spokesperson told us:
The privacy of people who use Facebook is extremely important to us. We have strict rules that govern how developers may use our APIs to build their products, and in this instance all the information being returned is already designated to be Public.
Everyone who uses Facebook has control of the information they share, including information on their profile and who can look them up by phone number.
Given this response from Facebook, it’s wise to bolt down who can search for you by phone number.
How to limit who can search for you and how
You can change your privacy settings to limit who’s able to search for you by email address and/or phone number.
You can adjust those settings to limit who can find you, or you can remove your phone number entirely so that nobody can find you by looking up your number.
Here’s how:
- Click the little “down” arrow at the top right of any Facebook page and choose Settings.
- If you’ve already linked your phone number to your Facebook account, you can remove it by selecting Mobile on the left. Click Remove to sever that link. Note that doing so means that Facebook can’t send you login approvals, which ensure that you don’t get locked out when using an unrecognized computer or mobile device to log in. If you tend to log into Facebook on more than one device, this might not be a good tradeoff.
- If cutting the link between your phone number and Facebook is too drastic, you can instead limit who can search for you. Instead of selecting Remove, instead select Privacy on the left of the Settings page. Under the Who can look me up? section, you’ll see a setting for your email and a setting for your phone number.
- Use the dropdown menu next to each setting to select who can look you up using that info: the options are Friends, Friends of friends or Everyone. Limiting lookup by phone or email to friends only is far better than letting the entire world get to you, but it’s certainly not perfect protection against having your details stolen, given that many of us have so-called “friends” on Facebook whom we don’t know well in real life.
To find out how to lock down your profile privacy and keep strangers from contacting you to send friend requests, as well as other ways to make Facebook safer, check out these 5 Facebook security tips.
Besides noting that the harvested data is public, Facebook also pointed people to Privacy Basics: a tool it rolled out in April that’s designed to be a drop-dead simple guide to help people decide what they want to share and with whom.
Image of thumbs up for online privacy courtesy of Shutterstock.com.