A self-proclaimed security enthusiast has exposed a major flaw in Facebook
, one in which nearly every user's phone number can be used to view their personal information. His name is Suriya Prakash, and his method of cultivating numbers involves using Facebook's mobile site to bypass security limits imposed on the social networking site's regular portal, or so he claims. Here's how he explains it.
"About a month ago I was just browsing Facebook on my Facebook mobile application and it had an option called 'Find friends using contacts' -- what it does is that it compares the contact list from your phone to the Facebook database to see if you have any friends that are in your contacts but not on your Facebook account," Prakash told The Next Web
. "I also later figured out that simply 'searching' a person's phone number (including country code) will show you their account."
Using Prakash's method, a person could search a random phone number to view someone's full profile, and it works nearly every time since, according to Prakash
, Facebook's privacy settings are confusing so most people haven't adequately protected themselves. That in and of itself isn't too egregious, but the fact that Prakash claimed he was able to write a script to cultivate a massive phone book of everyone who lets you look them up on Facebook is the scary part.
The script he wrote saved user names from a range of generated phone numbers. Facebook protects users from this behavior on its site by limiting the number of times you can initiate a search, but Prakash claims he performed an end-around by running the script on Facebook's mobile site, where he says it worked like a charm for four days straight. Facebook eventually caught on.
"Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked," a Facebook spokesperson explained. "We are constantly updating these systems to improve their effectiveness and address new kinds of attacks."
Prakash acknowledges that Facebook eventually blocked his script, but not before he was able to cultivate
thousands of phone numbers. He also says he alerted Facebook about the vulnerability, but was ignored until his proof-of-concept started to receive media attention.