AAPL Stock: 117.81 ( -0.22 )

Printed from

Researcher builds Facebook phone number data farming tool

updated 10:09 pm EDT, Wed October 10, 2012

Facebook now limits tool's functionality to a few hundred at a time

On Friday, security researcher Suriya Prakash stated that the majority of Facebook-stored phone numbers are insecure, and have been so at least since September when he started examining the issue. A demonstration provided by Prakash showed that a simple script was able to collect phone numbers and corresponding Facebook names at a minimum with minimal time and cost. Facebook has since limited the utility of the script by basic flood control limitation, but Prakash claims that Facebook was not forthcoming when the social network did so.

Prakash's script allowed the user to pick a random phone number, and if the owner has security settings allowing you to do so, the user's profile photo with, at a minimum, an associate name will be displayed. The script allowed a "phone book" of sorts to be built of people who allow look ups with just a phone number.

The researcher contacted Facebook with his findings, and after an unsatisfactory back-and-forth claiming that his attack was impossible due to existing rate limitations and privacy settings preventing the attack, Prakash was able to collect data for four days with no blocks or limitations.

Again, he sent the details of the security flaw to Facebook, and received no reply. He then posted "a very small percentage" of what he managed to collect. The list he published includes 846 heavily redacted phone numbers to protect the privacy of the people mined for data.

Eventually, the scripting behavior was throttled, but a few hundred users can be collected at a time regardless of the block. Facebook has declared the phone number search capability working as intended, and told The Next Web that "The ability to search for a person by phone number is intentional behavior and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page."

While the data collected may just be limited to phone numbers, names and in some cases email addresses, the data is still available for harvesting, and can be used in conjunction with other breaches to compile data to generate a "profile" on a user for use in social engineering attacks, potentially revealing a password. When an email can be tied to a specific, repeated password, it becomes a simple matter to attack e-commerce sites using duplicated credentials and stored credit card information.[via The Next Web]

by MacNN Staff




Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented