Earlier today, we reported on how a security researcher managed to collect countless phone numbers and their corresponding Facebook names with very little effort before the company could stop him. All he had to do was write an automated script to exploit some basic Facebook privacy settings.
For its part, Facebook gave us this explanation of what the script was exploiting:
The ability to search for a person by phone number is intentional behavior and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page.
So, how do you protect yourself? There are three options you need to know about.
Limit Who Can See Your Number
Go to Facebook.com, login if you haven’t already, and click your name in the top-left corner. Click on the “Update Info” button on the right side. Under Contact Info, click the “Edit” button. Next to your phone number, there will be a drop-down menu. Make sure this option is not set to “Public” and that it at least says “Friends” or even “Only Me.”
This will make sure that if someone visits your profile, they cannot see your phone number unless they are your friend. This means that even if your profile is public (it probably shouldn’t be), your phone number is not visible to the public. Unfortunately, that’s not enough; see the next option.
Limit Who Can Search Your Number
This is the part that the researcher exploited to essentially build his Facebook phone book. Even if your phone number is set to private, someone can still find you if they have it. As such, if someone writes a script that picks random phone numbers and searched for them on Facebook, as the security researcher did, they can link phone numbers to Facebook profiles, which include people’s names and other information.
Here’s the setting that started it all:
Above you can see how the default options look like. To modify them, click on the drop-down menu in the top-right corner on Facebook and choose “Privacy Settings.” Next, scroll down to “How You Connect” and click on the blue “Edit Settings” link on the right-hand side.
Change the “Who can look you up using the email address or phone number you provided?” to Friends, and anything else you think should be changed. This will stop someone from being able to look you up on Facebook if they have your phone number.
Remove Your Phone Number
If the above scared you, maybe you shouldn’t have your phone number on Facebook in the first place. Follow the steps from the first option and remove your phone number (or change it to a bogus one). If you don’t give information to Facebook, those who use the social network can’t use it to find you, or against you.
Image credit: Blas Lamagni