For some, Facebook is synonymous with identity. User profiles can include a name (and it has to be real), phone number, address and images — all of which could then be used to create a false identity and hack other personal accounts.
A potential security flaw, identified by technical director of SALT.agency Reza Moaiandinm, may allow hackers to use a Facebook API to identify a user’s account information without even having to decrypt the hashed ID. Moaiandinm ran telephone numbers through the system and discovered that if a person had associated his or her phone number with a Facebook account, he could then pull their name as well as other information, he wrote.
This hacking attempt would not have to be done phone number by phone number. Moaiandinm wrote that he used a coded script to run through numbers en masse from the United States, the United Kingdom and Canada. The issue? As Moaiandinm notes, that information can be sold on the Dark Web and be susceptible to phishing scams.
After making his discovery, Moaiandinm reached out to the Facebook support team — first in April. However, an engineer at the company could not replicate the reported flaw, Moaiandinm wrote, and asked for information. He sent over more data, SlashGear reports, but then did not receive another response.
When he sent a message to the support team again in July, a reply read: “We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse.” Some of those controls may be “rate throttling” that prevent a hacker from running a high amount of telephone numbers through a system.
But Moaiandinm wrote that he was not satisfied with these controls. “The communication with those APIs needs to be pre-encrypted and/or other measures need to be taken before this loophole is discovered by someone who could do harm,” Moaiandinm wrote. “They finally came back to me and told me that this is not a big issue – they have set limits and I should not worry about this problem. But frankly, I am very worried.”
A Facebook representative told technology news site V3 that the social network does have tools in place to “ensure data security.” The representative also noted that some pieces of information, accessible by this flaw, can be left public by the user’s choice.
“We have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public,” the representative wrote, according to V3. “Everyone who uses Facebook has control of the information they share. This includes the information people include within their profile, and who can see this information.”
The Facebook representative added that Facebook offers user guide on what information is shared and how to control that setting. Facebook, a network of more than 1.49 billion monthly active users, has been introducing more tools recently to assist users with their privacy settings. Last month, Facebook released a new page called “Security Checkup” that offers new login alerts and password protection tips.
To hide your phone number, go to Facebook.com/settings?tab=mobile. Click “Remove” next to your phone number. If you’d like to keep your phone number associated, under the Privacy tab, change “Who can look you up using the phone number you provided?” to “Friends.”
Original Article is found here.