A UK software developer discovered an enormous loophole in Facebook’s defenses that allowed him to obtain their names, profile pictures, locations and more just by guessing their mobile numbers. How did he uncover so much private information? Easy: Facebook Graph Search.
You may not know it, but your default “who can find me?” search setting is “Everyone/Public.” That means any user could find you via your information—including your mobile phone number. So the software developer who discovered the weakness, Reza Moaiandin, generated tens of thousands of mobile numbers using an algorithm and sent them to Facebook’s API tool for app developers. Facebook then sent him back tons of user profiles corresponding to the numbers he’d generated.
Moaiandin notified Facebook about the loophole using its bug bounty program, but the site told him that the bug does not represent a major security vulnerability. However, some experts disagreed, and have called on Facebook to update its users’ default settings.
“They should be attempting to prevent the widescale hoovering up of data, and I’m disappointed to hear that they appear to have failed on this occasion,” Graham Cluley, a computer security analyst, told The Guardian. “If Facebook cares about its community, it should perhaps do more to lead them in the right direction—perhaps ensuring that users have to choose whether they want to make their phone numbers publicly accessible, rather than that being a default.”
To set your mobile number to ‘Only Me,’ follow the directions below:
- Click on your name in the top right corner
- Click the ‘About’ tab located below your Cover Photo
- Hover mouse over your contact information and an edit link will appear
- Hover mouse over phone number and audience selector will appear
- Set your mobile number to Only Me
- Share the alert with your friends