Developer harvests thousands of Facebook users' data in minutes

Facebook has been warned to tighten up its security after a hacker managed to get a hold of thousands of users' names, profile pictures and phone numbers, the media have reported on Monday.

According to South China Morning Post (SCMP), a developer used a simple loophole to obtain this information: when a user gives Facebook his or hers phone number, that user can be searched for through the social network, by the phone number.

The developer’s name is Moaiandin and he’s the technical director of Leeds-based technology company Salt.agency.

By default, this “Who can find me?” setting is set to “Everyone/public”. This is the default setting even if that user had chosen to withhold their mobile number from their public profile, SCMP says.

Using a simple algorithm, Moaiandin generated tens of thousands of mobile numbers a second and then sent these guesses to Facebook’s application programming interface (API).

Within minutes, Facebook responded with thousands of users’ profiles. With a simple cross-check, he was able to identify which of the guessed phone numbers was correct.

Moaiandin compared it to “walking into a bank, asking for a few thousand customers’ personal information based on their account number, and the bank telling you: ‘Here are their customer details.’”

He alerted Facebook to the vulnerability in April through its “bug bounty” scheme and then again on 28 July, when a Facebook security engineer said it had measures to prevent suspicious behaviour.

The Facebook employee added: “We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse.”