Facebook has a reverse look up feature where users can look up a phone number to find the person the number belongs to. Up until this week, that feature could be abused to look up thousands of numbers at once.
Facebook has patched the system that allowed a security researcher to look up random phone numbers on Facebook and harvest the names of the people who own the numbers. Now a user can perform a limited number of reverse look-ups from a given IP address, Facebook notes.
Wait a minute, you may be asking, you can look up phone numbers on Facebook?
"The ability to search for a person by phone number is intentional behaviour and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page," a Facebook spokesperson told us.
Let's break that down a bit, shall we?
It turns out that you can type in a phone number in the top search bar, where you would normally type in a group name, topic, or a friend's name, and see the profile of the person who owns that number. Now, you may be thinking that the reverse look up won't work for your phone number because you've used Facebook's inline privacy controls to restrict who can see that information? Think again.
"Even if you altered your privacy settings to ensure that your phone number is only visible to you, other people can still use it to look you up," Graham Cluley, a senior technology consultant at Sophos, wrote on the Naked Security blog.
In yet another example of how privacy settings can be confusing on Facebook, those inline controls on your Timeline (the one that you set to determine who can see your contact information such as phone number, email address, and address) have nothing to do with privacy, but visibility. Those controls just determine whether or not that information shows up on your Timeline. It doesn't mean the information is suppressed anywhere else on the social networking site, such as, say, a reverse phone number look up.
"When you edit settings on Timeline this only governs the visibility and you will need to modify your Privacy Settings to change the privacy of that information," the Facebook spokesperson informed us.
The privacy option, the one that really tells Facebook, "hey, don't display my phone number to people," is under the Privacy Settings menu under the section "How You Connect." The relevant control, "Who can look you up using the email address or phone number you provided?" is, by default, set to "Everyone" (as shown above).
"Once again, Facebook chose the least private default for your information," Cluley wrote.
I looked up a pretty security-conscious friend's phone number and found his profile. I asked him whether his phone number was public on the site or not, and he said he's restricted the number to be visible only to his family members (a custom list he'd created) and members of his networks. I asked him to check the privacy option.
"Everyone," he said over instant message, and then added, "That's not good."
Since most people assume that setting the phone number or email address to private on the profile means that it’s, you know, private, very few realise, or know about, the other setting that also needs to be changed.
The phone number abuse
As a result, it was possible to randomly enter phone numbers and harvest names and the associated Facebook photo of users associated with the number, independent security researcher Suriya Prakesh wrote in a blog post last Friday.
Facebook didn't have any limits on how many numbers could be looked up, letting Prakesh write a script to look up 10,000 phone numbers at a time, according to the blog post. Prakesh did sequential look-ups, just changing one digit at a time to see whether there was a user associated with that number.
Can you imagine how gleeful a telemarketer would be to have this information?
"Connecting a person’s phone number to a name is what every advertiser dreams of, and these sort of lists would fetch a LARGE price in the black market," Prakesh wrote.
Prakesh also estimated that someone with a big enough botnet (100,000 machines) and a script would take only a few days to go through the 600 million or so Facebook users who have a mobile phone.
Facebook tweaked the system on Wednesday, and Prakesh confirmed it is no longer possible to do mass-scale look-ups.
"Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks," the spokesperson for the social networking site said.
Want to make that phone number private? Head on over to the Privacy Settings and change "How You Connect" now! Also check out Neil Rubenking's helpful article on properly securing your Facebook account.