Facebook users could be in danger of having their personal details harvested by hackers using a loophole in the social network's privacy system.
A security researcher has discovered the issue where using only a mobile phone number, a hacker could recover names, telephone numbers, images and location data in bulk from the social network.
An algorithm was used to run a Facebook API that, according to Reza Moaiandin, technical director at technology firm Salt, could harvest "millions of users' personal data".
Moaiandin said the issue could be a “huge phishing problem” if Facebook did not move to limit the number of searches people could carry out on mobile numbers.
In a blog post, Moaiandin explained how the loophole works. "By using a script, an entire country's (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs. And if a number is associated with a Facebook account it can then be associated with a name and further details," he said.
"Unfortunately, for the 1.44 billion people currently using Facebook, this [problem] means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering - at a time when an entire identity can be sold for as little as US$ 5 (£3.20)."
“Perhaps the most worrying aspect of discovering this issue is that it happened entirely by mistake – I wasn't even searching for flaws in Facebook's security when I came across it,” added Moaiandin.
The researcher said that he alerted Facebook over the problem as early as April but the response he had from an engineer was that they could not reproduce the problem. Moaiandin then got in contact with Facebook again in July only to be told that the social network did “not consider it a security vulnerability, but we do have controls in in place to monitor and mitigate abuse”.
In a statement to the media, Facebook said: “The privacy of people who use Facebook is extremely important to us. We have industry-leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public.”
Moaiandin said the “communication with those APIs needs to be pre-encrypted and/or other measures need to be taken before this loophole is discovered by someone who could do harm.”
According to Peter Surrey, associate partner and head of Digital Forensics at consultancy GPW, the unanswered question is not so much about whether this particular feature represents a vulnerability, “as it is about whether or not the API can be used to extract sensitive data bypassing the controls accessible to a user of Facebook ie does the API grant access to information the user has asked to keep private. Moaiandin does not give sufficient detail in his post for us to be sure.”
“Depending on the answer, there may or may not be a problem,” he told SCMagazineUK.com.
Surrey said that there is likely to be a larger issue than the one identified by Moaiandin. “The average user of Facebook is unlikely to have any tools at their disposal to prevent information leaking out through such a mechanism until Facebook fixes it.”
He added that the organisational impact is minimal, since skilled attackers “already make heavy use of social media to reconnoitre a potential target and the addition of a bulk API doesn't do much to facilitate that targeted reconnaissance”.
David Baker, chief security officer at Okta, told SCMagazineUK.com that Facebook has a bad habit of updating privacy settings and making some data reappear as public. He added that users should check security setting from time to time.
“In these cases, there can be a risk to organisations in the form of a socially engineered Spear-phishing attack. Organisations can suggest that their employees update their privacy settings so that their personal information is not made public,” he said.