If you have included your mobile phone number in your Facebook contact information, then you’ll be interested in a major security flaw discovered by Suriya Prakash.

Many people reluctantly give up their mobile number to Facebook to enable login approvals, self-included. As you can see in the image shown below, I have my phone number set to ‘Only Me.’

In a perfect world, my phone number would be safe from hackers, scammers and other prying eyes on Facebook, but that is not the case. There is a sneaky, conflicting privacy setting that overrides this one.

Located in your Privacy Settings under “How You Connect” the following option appears:

“Who can look you up using the email address or phone number you provided?”

This option is set to “Everyone” by default! As noted by Prakash, there is not an option to totally restrict access to this information – the best you can do is set the option to ‘Friends.’

Even more worrisome is the fact that Prakash was able to write and execute a script to collect usernames and phone numbers of random Facebook members. He estimated that a hacker could use a botnet to obtain the data of all affected accounts in only a couple of days.

Prakash notified Facebook about the flaw, and it appears Facebook didn’t fully comprehend the issue. They further stated that it was the user’s responsibility to make sure they couldn’t be found based on their phone number provided. Facebook also claimed the attack wasn’t a serious threat because ‘rate limiting’ controls are in place to impede a hacker’s efforts. Surprisingly, Prakash bypassed the rate limiting measure by simply using the mobile version of Facebook.

Prakash claims he has reached out to Facebook five times on this issue, and they refuse to fix or even acknowledge the bug, so he decided to go public with his findings.

Prakash believes that up to 500 million users could be affected by this vulnerability.

Until Facebook appropriately corrects this issue by adding the ‘Only Me’ option in the privacy settings, users are encouraged to set the option to ‘Friends.’ You could also bypass the extra layer of security provided by login approvals and remove your mobile number altogether.

*Update 11-OCT-12 – Allfacebook is reporting that Facebook has fixed the vulnerability that allowed phone numbers to be easily harvested from Facebook. We still contend that the issue isn’t appropriately addressed until users have the option to totally restrict who can look them up via their mobile number. As reported earlier this week, there is not an ‘Only Me’ for this privacy setting.

---

Recommended Resources

BitDefender Safego is a Facebook application you can install that will scan your News Feed and help keep you safe from scams on Facebook.

PRIVATE WiFi® is a Personal VPN that encrypts everything you send and receive. Don’t access Facebook from a public WiFi hotspot without it.

Action Alert | Free Parental Control offers a 100% free Internet safety solution designed for parents. There is also a Maximum Protection option for parents that need a more advanced set of tools.