If you have included your mobile phone number in your Facebook contact information, then you’ll be interested in a major security flaw discovered by Suriya Prakash.
Many people reluctantly give up their mobile number to Facebook to enable login approvals, self-included. As you can see in the image shown below, I have my phone number set to ‘Only Me.’
In a perfect world, my phone number would be safe from hackers,
scammers and other prying eyes on Facebook, but that is not the case.
There is a sneaky, conflicting privacy setting that overrides this one.
Located in your Privacy Settings under “How You Connect” the following option appears:
“Who can look you up using the email address or phone number you provided?”
This option is set to “Everyone” by default! As noted by Prakash,
there is not an option to totally restrict access to this information –
the best you can do is set the option to ‘Friends.’
Even more worrisome is the fact that Prakash was able to write and
execute a script to collect usernames and phone numbers of random
Facebook members. He estimated that a hacker could use a botnet to
obtain the data of all affected accounts in only a couple of days.
Prakash notified Facebook about the flaw, and it appears Facebook
didn’t fully comprehend the issue. They further stated that it was the
user’s responsibility to make sure they couldn’t be found based on their
phone number provided. Facebook also claimed the attack wasn’t a
serious threat because ‘rate limiting’ controls are in place to impede a
hacker’s efforts. Surprisingly, Prakash bypassed the rate limiting
measure by simply using the mobile version of Facebook.
Prakash claims he has reached out to Facebook five times on this
issue, and they refuse to fix or even acknowledge the bug, so he decided
to go public with his findings.
Prakash believes that up to 500 million users could be affected by this vulnerability.
Until this issue is appropriately corrected by Facebook by adding the
‘Only Me’ option in the privacy settings, users are encouraged to set
the option to ‘Friends.’ You could also bypass the extra layer of
security provided by login approvals and remove your mobile number