Facebook dismissed claims that the technique could be used to build massive scam databases
A developer has discovered a programming loophole that could allow malicious users to harvest Facebook users’ personal details on a massive scale.
Reza Moaiandin, technical director of search marketing agency Salt, said the loophole poses a privacy problem for Facebook users, allowing their details to be used in scams.
“This could be a huge phishing problem if no limit is created, and the loophole is discovered by the wrong person,” he wrote in a blog post.
Moaiandin said he discovered the loophole “entirely by mistake” while experimenting with a feature that allows users to find someone on Facebook by entering their telephone number.
By default, this “Who can find me?” setting is set to Everyone/public, meaning the numbers are searchable by anyone. The setting is in effect even for users who have withheld their number from their public profile, and is only withheld from searches if the user specifically changes the “Who can find me?” setting to “friends only”.
Moaiandin said he used a script to generate tens of thousands of mobile numbers a second and searched Facebook for the numbers using an interface that allows applications to link to Facebook data. Using the technique he was able to obtain scores of user profiles in minutes, including names, profile pictures and location data.
“By using a script, an entire country’s (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details (images, and so on),” he wrote.
While the data he gathered is publicly avaiable, what’s worrying is that the system could allow scammers to build massive databases of user details, Moaiandin said.
He contacted Facebook about the issue in April and again late last month, but was told that the company doesn’t consider the loophole a security or privacy problem.
Facebook told Moaiandin that there are checks in place that throttle the rate of such data requests, although these may be higher than the rate used in the developer’s tests.
He urged the social network to set tighter limits in place and to encrypt users’ personal information.
“Facebook should be able to fix the problem by limiting the requests from a single user, and detecting patterns, before moving on to pre-encrypting all of its data,” he wrote.
Facebook said it has network monitoring tools in place to ensure data security and strict rules governing how developers may access data. The company emphasised that individual users can control how their data is accessed through Facebook’s privacy settings.
“The privacy of people who use Facebook is extremely important to us,” the company said in a statement.
Facebook has been regularly criticised over privacy issues, which have been the subject of multiple lawsuits against the company, including a pan-European lawsuit filed in Austria that alleges data protection violations.
Are you a security pro? Try our quiz!