On Friday, a researcher by the name of Suriya Prakash claimed that the majority of phone numbers on Facebook are not safe. It’s not clear where he got his numbers from (he says 98 percent, while another time he says 500 million out of Facebook’s 600 million mobile users), but his demonstration certainly showed he could collect countless phone numbers and their corresponding Facebook names with very little effort.
Facebook has confirmed that it limited the Prakash’s activity but it’s unclear how long it took to do so. Prakash disagrees with when Facebook says his activity was curtailed.
Let’s rewind a bit. Prakash explains how he stumbled on the idea for his exploit back in September:
About a month ago I was just browsing FB on my FB mobile application and it had an option called “Find friends using contacts” ,what it does is that it compares the contact list from your phone to the FB database to see if you have any friends that are in your contacts but not on your Facebook account. I also later figured out that simply “searching” a persons phone number (Including country code) will show you their account.
In other words, all you have to do is pick a random phone number, search for it on Facebook, and if the owner allows you to (and Prakesh argues that most people do because Facebook’s privacy settings are confusing), you’ll see their profile, which typically includes at least their name and profile picture, if not more information. If you write code to automate the task, as Prakash did, you can create a phone book of everyone who lets you look them up on the social network with just a phone number.
Suriya contacted Facebook about his finding and got back this reply:
This was sent a month ago, and when Suriya didn’t hear back, he realized that he could still use his idea to gather a bunch of names and phone numbers. As such, he emailed the social networking giant again, but only received this reply:
After all that, Suriya decide to write a simple script that read and saved the user names for a range of generated phone numbers. Facebook of course limits the number of times you can search on the site, but Suriya claims he bypassed this all by simply using the mobile site, which he argues doesn’t do this (Facebook says otherwise). He generated random phone numbers in Excel and then ran the script on permutations of the link “http://m.facebook.com/search/?query=123456789” to find someone’s profile using their phone number.
Suriya alleges that for four days he wasn’t blocked or limited by Facebook a single time. Here’s how his script works:
What it does is that it opens up the page and saves the data. I can quickly sort out the “No result found” from the positive results. Also you can attack a certain mobile carrier or location if you know the specific area codes etc
Suriya sent the results to Facebook, but again the company did not reply. As such, he posted what he says is “a very small percentage” of what he managed to download from Facebook on PrivatePaste. The list consists of 846 phone numbers, with random digits blocked out to protect the innocent, and their corresponding names on Facebook.
For its part, Facebook denies Suriya’s claim that his script was not stopped. A spokesperson sent along the following statement:
Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks.
Suriya admits his script was eventually throttled after a few days. “After… a few hundred (at most) you get logged you out with the following message:”
Your account has been temporarily suspended. We have detected some suspicious activity coming from this IP. As a security precaution, your account has been temporarily suspended.
I asked Facebook to confirm that it had a working limiting system before this script came to light. “Yes, there were limits in place, and we subsequently made them more sensitive,” a Facebook spokesperson confirmed with The Next Web.
While Facebook and Suriya disagree on when he started getting blocked, at least they agree in that he was eventually limited. As for what the script was exploiting, Facebook gives this explanation:
The ability to search for a person by phone number is intentional behavior and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page.
We’re writing up a quick guide explaining how to protect yourself from having your phone number collected from your Facebook profile and we will update you when it’s live.
Image credit: Keith Syvinski