Facebook ignored a widely-known privacy flaw for years, allowing scammers, spammers, and other malicious parties to scoop up virtually all users’ names and profile details.
As I explained way back in 2012, when I was writing for the Sophos Naked Security blog, simply entering someone’s phone number or email address into Facebook’s search box would perform a reverse look-up and tell you who it belonged to, with any information they shared publicly on their Facebook profile.
Facebook had set the default setting for “Who can look you up using the email address or phone number you provided?” to “Everybody”. Which, of course, was the weakest possible privacy: no privacy at all.
Facebook knew that most people would never bother to change the setting, and at the same time pressured users to enter a phone number when creating an account or during verification.
Three years passed, and a software developer wrote just a few lines of code which automatically cycled through every possible mobile number in the UK, United States, and Canada, scooping up users’ names, photos, and other data.
That kind of information could be pretty useful for a scammer. For instance, they could phone you up pretending to be your mobile phone company, and refer to you by your name to appear more convincing.
Facebook didn’t stop the developer’s code from accessing hundreds of millions of its users’ profiles. What they did do is tell him that they didn’t consider it an issue.
Another three years have passed, and Facebook is finding itself in hot water after the Cambridge Analytica debacle.
With its share price slammed by allegations that its business model is not taking users’ privacy seriously, Facebook published a blog this week detailing some of the changes it was making.
Finally, Facebook is acknowledging that offering a reverse look-up based on phone numbers and email addresses is disastrous, and says it is disabling the feature.
But more than that, it is admitting that “most people on Facebook could have had their public profile scraped in this way.”
Anyone who didn’t change their privacy settings after adding their phone number should assume that their information had been harvested.
Facebook chief Mark Zuckerberg acknowledged the scale of the problem in a Q&A with journalists:
“I certainly think that it is reasonable to expect that if you had that setting turned on, that at some point during the last several years, someone has probably accessed your public information in this way.”
How long is it going to take before people wake up to what’s going on here? Facebook’s business model is no secret, and is fundamentally incompatible with a growing number of people’s desire for online privacy.
Even when told about serious problems Facebook ignored them.
If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.