Security experts recently urged Facebook to change some of its privacy settings because a hidden vulnerability may put millions of public profiles and linked phone numbers in the hands of hackers and abusers.
Experts learned that it is a simple as typing into the site’s search bar a random mobile phone number to get the full public profile of a user including their personal photos, home address, and location. Unfortunately, users that chose to hide their private number may also fall victims to exploiters.
IT analyst Reza Moaiandin of U.K.-based Salt Agency found that there’s a subtle vulnerability that can be used by any basic-skill hacker to harvest tons of personal data just by typing on Facebook random phone numbers.
The site has a privacy setting that allows anybody on the platform to find a user just by typing into a search box their phone number. The setting is called “Who can find me?” and it is set by default to “Public.”
So, anyone on the social networking site can find anyone with help from only a string of numbers. And choosing to hide your phone number from the public doesn’t mean you are safe. The site still matches your number with your public profile on a random query, experts reported.
Moaiandin said he used a special hacker program to generate as many random mobile phone numbers he could. Then he used those numbers on the site to harvest user personal data. And the crop was plentiful.
Nevertheless, some may argue that the data is already publicly available. Yet, being able to link a phone number that was purposely hidden by its owner to a public account raises some serious security issues. Hackers can harvest millions of Facebook users’ personal data AND phone numbers in several hours.
It is very similar to walking into a private bank with a list of account numbers and politely asking an employee to grant you access to all the data the bank has on those accounts’ owners.
Luckily, you can change the annoying setting manually from “Everyone/Public” to Friends-Only.” Experts disclosed that millions of users have that setting on Everyone/Public by default, making any hacker’s life a lot easier. Plus they can grab your personal data, sell it and re-sell it on black markets without you even noticing.
Facebook, on the other hand, denied that the vulnerability posed a real threat to its members’ privacy.