Facebook says it has patched a security hole related to a little-known phone number search within Facebook. Specifically, the social network now limits the number of phone number lookups that any given IP address can perform on Facebook.
Last Friday, independent security researcher Suriya Prakesh published a blog post in which he claimed that “98 percent of your phone numbers [on Facebook] are not safe.” In the post, Prakesh demonstrated that a brute-force attack could be used to lookup sequential phone numbers on Facebook and match them with their respective user names.
But first, a little background: It seems as though not many people realize this, but if you know someone’s phone number you can usually easily look them up on Facebook. Simply type the phone number into Facebook’s search bar and any profile associated with that phone number will pop up—even if that person has set their phone number to private.
Let me explain, because (surprise, surprise) Facebook doesn’t make that distinction very clear. There are two different privacy settings associated with phone numbers (and email addresses) on Facebook: One relates to what shows up on your profile, and one relates to what others can use to look you up on Facebook.
When you add a phone number or an email address to your Facebook profile, you can choose whether it shows up to everyone, friends only, just yourself, or to a custom list of people. This privacy setting is located right on the page when you add the phone number/email address. However, the other privacy setting, which relates to what people can use to look up your Facebook profile, is tucked away in Facebook’s privacy settings, under How You Connect.
By default, this setting is set to allow everyone and anyone to search for your email address or phone number on Facebook to find your Facebook profile. And since many people assume that setting their phone number or email address to private on their profile means that it’s private, most people never realize they need to change this setting as well.
So what Prakesh discovered was that Facebook’s phone number lookup, coupled with people’s ignorance of how Facebook privacy works (or rather, doesn’t work), could be exploited using a few choice pieces of code. Prakesh’s experiment showed that since Facebook didn’t curb the number of phone numbers that could be looked up, he was able to harvest phone numbers coupled with Facebook photos and names, which is somewhat useful data for advertisers and/or hackers.
Anyway, Facebook said Wednesday that it fixed this–Prakesh’s post now notes that he can no longer look up 10,000 phone numbers at a time. Facebook did say that, at the time of Prakesh’s experiment, it had a system in place for “preventing the malicious usage of [its] search functionality,” but it has since tweaked the system to be a little more sensitive.
However, Facebook also confirms that the phone number lookup is not a bug.
“The ability to search for a person by phone number is intentional behavior and not a bug in Facebook,” Facebook said this week in a statement. “By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page."
Keep your contact info safe on Facebook
Facebook’s phone number and email address lookup feature has long been the stalker’s secret. I admit to using it a time or two when I’ve been curious, or when I’ve wanted to find someone who has a particularly generic name.
Here’s what you can do to keep your Facebook contact information safe.
1. Don’t put your phone number/email address on Facebook.
Prakesh’s exploit used sequential phone numbers–he didn’t know the phone numbers of the people he was trying to find, he was just harvesting numbers. However, there are probably people–such as your parents, or your employer–who know your phone number and/or personal email address, but who you do not want to find your Facebook account.
The easiest solution is to not add your phone number or email address to your Facebook account. Facebook doesn’t require a phone number (except for some features, such as two-factor authentication), but it does require an email address. I suggest setting up a “social networking-only” email address to use just for Facebook and junk mail.
2. Make your email address and phone number private
This is pretty easy–and a lot of people do it, thinking it will make their information completely private. It won’t, but you should still do it.
Go to your Facebook Timeline, and click About. On your About page, go to Contact Info > Edit (you’ll have to re-enter your password), and then check out the column on the right-hand side. Next to each piece of contact info you have listed, click the little arrow and choose Only Me.
3. Make your email address and phone number (relatively) unsearchable
After you make your email address and phone number private, you have to also make them unsearchable. To do this, click on the arrow next to the Home link in the top right corner of the screen, and click “Privacy Settings.”
Go to How You Connect > Edit Settings > Who can look you up using the email address or phone number you provided? Click the arrow next to this setting and choose Friends. You can’t choose Only Me for this setting–but you can prevent people who are not your explicit Facebook friends from looking you up using a phone number or an email address.
This story, "Facebook phone number lookups now limited, but you should still tweak this privacy setting" was originally published by TechHive.