Facebook

Facebook finally fixes phone number vulnerability after years of inaction

If you’ve given your phone number to Facebook, there is a good chance it’s been scraped along with your name and other information by way of a privacy vulnerability, Facebook announced recently.

And what’s more, privacy advocates, bloggers and software developers warned Facebook about this vulnerability years ago.

A number of years ago we warned about a certain setting on Facebook that allowed other Facebook users to enter your phone number into Facebook search to retrieve your Facebook account. By default, Facebook set the Who can look me up using my phone number? setting to Everyone. That is, of course, the worst possible setting. To stop it, Facebook user’s needed to actively go into their Privacy settings and set the option to Friends or better yet, Only Me.

We even included it in our article on 5 common privacy mistakes made by Facebook users. Though to be fair, it’s not really a user mistake. Facebook should have never made that setting default to public in the first place.

What’s worse is that Facebook had a habit of resetting this particular setting, so even if you did go into your privacy settings and change the setting to something more privacy appropriate, Facebook could have reset it back, like it did with a number of our own accounts.


Sponsored Content. Continued below...




Allowing other Facebook users to look you up via your phone number allows them to pair your phone number with your name and any other public information someone could glean from your account. Such information could subsequently be used in a number of different ways, which can include calling you while pretending to be from your bank, or mobile phone company. Since the scammer would be armed with certain information about you, including your name, it makes the scam that much more convincing.

And users needn’t enter phone numbers manually, one after another. In 2015, we reported about a software developer who created a small program that could cycle through every phone number in the UK, Canada and USA and store every name and profile associated with that phone number (providing the Facebook user gave their phone number and left the setting to Everybody.)


Sponsored Content. Continued below...




Despite being warned of this vulnerability (and yes, the software developer above did report his findings to Facebook as well) Facebook refused to remove the phone number lookup feature. Well, until last week that is, when Facebook CTO officer Mike Schroepfer announced that the feature will be retired along with a startling revelation… that most Facebook users could have had their information scraped through this vulnerability.

Search and Account Recovery: Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name. In Bangladesh, for example, this feature makes up 7% of all searches. However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.

It’s frustrating that despite the warnings, Facebook effectively ignored a privacy vulnerability up until the social network entered damage control in the wake of the Cambridge Analytica scandal, and it is only now that the site is removing the feature.

The bottom line is this – if you’ve given your phone number to Facebook, as many have done since it greatly improves account security, there is a high chance your name, number and other details that are public on your account are sitting somewhere in a database, waiting for someone to use them.

Share
Published by
Craig Haley