Reza Moaiandin a software developer has discovered a flaw in Facebook’s security settings allowing users to find other users profiles simply by typing in their phone number.
By default, this ‘who can find me?’ setting is set to everyone/public – meaning anyone can find another user by their mobile number. This is the default setting, even if a user had chosen to withhold their mobile number from public profile. Then using Facebook’s api and a simple algorithm to generate random phone numbers Reza, of Salt Agency, Leeds, was able to receive tens of users profiles within a few minutes. Whilst the information he received is publicly available it does leave the system open to abuse. Moaiandin reported the vulnerability to Facebook twice before getting a response.
Graham Cluley, a security specialist and blogger, commented “If Facebook cares about its community, it should perhaps do more to lead them in the right direction – perhaps ensuring that users have to choose whether they want to make their phone numbers publicly accessible, rather than that being a default.”
A Facebook spokesperson said “The privacy of people who use Facebook is extremely important to us. We have industry-leading proprietary network monitoring tools constantly in order to ensure data security… Developers are only able to access information that people have chosen to make public.”