Belfast Telegraph

Facebook security hole leaves personal data open to easy stealing

A simple hack could give criminals access to all of your Facebook data — just by guessing your mobile number.

The names, location, images and more data of users can be gathered by just guessing a phone number — a relatively straightforward process. That data could then be stolen and sold on, for use in crime and identity theft.

The hack exploits a tool that’s intended to let anyone find a Facebook user by putting their phone number into a search box.

But Reza Moaiandin, technical director at Salt Agency, has found that using a computer to automatically put in numbers can let people scrape a huge amount of data on Facebook users easily.

By gathering up an entire country’s possible combinations and putting them through the search box, hackers can pick up all the Facebook user IDs of all the people using those numbers. That can then be put into Facebook’s GraphQL, the tool Facebook uses to organise its data, to pick up all the information that the site has on those people.

All of that information is publicly available. But Moaindin points out that collecting all of that data on a large scale means that it could be easily sold on — and potentially combined with other stolen data to find out much more about the people involved.

The “Who can find me?” setting that decides whether people should be able to locate people using a phone number is turned to “Everyone/public”, though it can be switched off to avoid being liable to the hack.

But Moaiandin says that Facebook should go further by “limiting the requests from a single user, and detecting patterns, before moving on to pre-encrypting all of its data”.

Moaiandin said that he had found the loophole by mistake: “I wasn’t even searching for flaws in Facebook’s security when I came across it”, he writes in his blog.

He found the flaws a few months ago and decided to release it to the public when trying to tell Facebook failed, as “an attempt to catch Facebook’s attention to get this issue fixed”.


Independent News Service