If you’ve got a Facebook account, chances are that you have told them an awful lot of information about yourself: your name, your location, your email address, your network of friends, your photos, your likes and dislikes… the list goes on.
And many people have told Facebook their mobile phone number as well.
But did you know that complete strangers, can search Facebook’s database for your phone number and find your profile and grab your name, profile picture and more besides?
This isn’t a new feature. I first warned about the possible privacy dangers of your mobile number not being as private as you think back in 2012 – but it seems many people are unaware or have chosen not to adjust their privacy settings.
Light is shone on the issue once again, this time by software developer Reza Moaiandin, who wrote a few lines of code that went through every possible mobile phone number in the UK, United States and Canada, and scooped up Facebook users’ names, images and further information.
Moaiandin was surprised that his script’s large number queries to the Facebook API didn’t trigger any form of blocking or throttling by the social network, and notified Facebook about what he perceived to be the risk of organised criminals using the same method to harvest innocent people’s information.
When he didn’t get a satisfactory reply, Moaiandin contacted Facebook again. At the end of July they replied, saying that they did not believe what the researcher has discovered constituted a security vulnerability.
Actually, I agree with Facebook. It isn’t a security vulnerability. But it is, potentially, a privacy issue – even though the only data accessed may be content that the user has chosen to leave ‘public’ on Facebook.
My concern would be that many Facebook users don’t understand the consequences of not tightening their privacy, and the potential ways in which that data could be abused. If Facebook cares about its community, it should perhaps do more to lead them in the right direction – perhaps ensuring that users are forced to choose whether they want to make their phone numbers publicly accessible, rather than Facebook deciding that the default should be public to the world.
Of course, Facebook has shown through its chequered history that it doesn’t really think that way.
There are, no doubt, legitimate services that query Facebook’s API very regularly, examining a large amount of data. It appears that Facebook has rate-throttling in place to prevent third-parties from polling its databases at a level that it finds uncomfortable, but that Moaiandin’s script didn’t reach those limits – even though it sounds as if he would have been able to access a large amount of data.
My reading of Moaiandin’s blog post is that either Facebook has not set the right rate-throttling levels, or that it should limit such wide access to its data to carefully approved parties rather than any Tom, Dick or Harry who wants to create an enormous database of contacts.
Even if they had eventually spotted what Moaiandin was doing, and stopped him, would he have been able to start up again from a different IP address, or at a later time, and piece together the data he had accessed at a later date?
So, if you are a Facebook user, what should you do?
Go to your Facebook privacy settings, and ensure that under “Who can look me up?” you have set “Who can look you up using the phone number you provided?” to “Friends” rather than Facebook’s default of “Everyone”.
While you’re at it, you may wish to check your other settings including “Who can look you up using the email address you provided?”.
If you do this, only your Facebook friends will be able to look you up on the site via your mobile phone number, and you have just made yourself that tiny bit more private.
Facebook stores the personal information of 1.5 billion people – data which can be immensely valuable to marketeers and criminals. To maintain the trust of its users, it should make it as difficult as possible for third-parties to scoop up even the publicly-shared information for non-approved purposes.
If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.
Hat-tip: The Guardian.
If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:
Smashing Security #75: 'Quitting Facebook'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
It's bad too though that they want your birthday,a helpful piece of information in stealing someone's identity.
"Actually, I agree with Facebook. It isn't a security vulnerability. But it is, potentially, a privacy issue – even though the only data accessed may be content that the user has chosen to leave 'public' on Facebook. "
It is true it isn't a security vulnerability. But they are using semantics to not have to worry about it (because they disagree, don't care, or because it is the Facebook way). It is still an issue and that includes (as you point out) privacy (which can lead to a variety of security problems for users). But then there is the fact it is public sharing:
Perhaps the issue is how much scanning he did. Whether they could realistically block it if he delayed it, is another matter entirely, and in some sense might make this a moot point.
The take away from this is everyone (that uses Facebook) needs to always be careful with what their settings are (and should probably revisit them every so often) and always be careful with how much you share. Of course the alternative is to delete their account (don't know if they delete properly or not). But that is probably too extreme for most people.
“…they are using semantics to not have to worry about it … It is still an issue and that includes…privacy (which can lead to a variety of security problems for users)."
That is exactly correct. Facebook's typically dodgy response to Reza Moaiandin's concerns amounts to semantic quibbling. Arguments over whether public access to the PII (personally identifiable information) collected by Facebook constitutes a security vulnerability or a privacy concern make little difference for practical purposes. Privacy concerns BECOME security concerns when PII can be used to thwart security measures.
The problem with Facebook (for me) is that staying on top of their constantly changing "features" requires more effort than it's worth. Their motto—"Move fast and break things"—applies to their own users' privacy settings. Everything is opt out; there is no one-time, set-it-and-forget-it über-privacy mode that ensures Facebook will not come up with a new way of subverting it.
"Of course the alternative is to delete their account… But that is probably too extreme for most people."
It wasn't too extreme for me. After less than a year of struggling to keep up with Facebook's determinedly persistent penchant for moving fast and breaking my privacy settings, the only rational course of action was to remove my account.
Anyone who has ever been a victim of identity theft knows that ultimately, privacy and security are inseparable. Those who are unable to see the connection in the short run are in for a painful lesson in the long run.
Graham
The privacy settings within Facebook are a challenge for many to keep up with. This guide from Rik Ferguson is an excellent resource for people to use when checking their security settings
https://a248.e.akamai.net/f/489/2696/8m/countermeasures.trendmicro.eu/wp-content/uploads/2012/01/Making-the-Most-Out-of-Facebooks-Privacy-Settings.pdf
The part that didn't make sense to me is, why would a Facebook friend need to look you up, if he or she is already a Facebook friend?
On Facebook the word "friend" means something entirely different from real life.
Well said, Graham! Millions of hapless Facebook users are victims of epic semantic fraud, wherein "friends" become a liability rather than an asset.
By now, Facebook's tortured abuse of the language is legendary. They've conned their users into believing their Facebook account is "free". No it's not; that's more semantic legerdemain. Facebook monetizes their personal information and they pay the price in lost privacy and security.
Yep, there is no such thing as a free lunch.
Email, social media, etc… all have to make money and your privacy is the price you pay.
'Twas one of the main reasons I abandoned free email (I host my own mail server) and don't use Facebook.
Each to their own I guess.
>But it is, potentially, a privacy issue
Which is why Facebook doesn't care, they don't value your privacy.