Personal data of Facebook users can be harvested via phone numbers

A new vulnerability in social giant (Facebook) enables hackers to hack your private information using only the mobile number you’ve associated with your Facebook account.

Currently, the social giant is the top priority of hackers to target because of the massive amount of data Facebook has. Near about billion plus consumers and counting, stealing its users’ information may be a dream of every hacker without a doubt.

Salt’s technical director, Reza Moaiandin, discovered a method to steal users’ information via their mobile number. On the Salt’s blog, Moaiandin claimed, he founded the vulnerability by mistake. Moaiandin utilized a simple way to steal the data through a search feature, which enables you to search for any person on the Facebook via users’ phone number.

He says:

“A few months ago, I discovered a security loophole in Facebook that allows hackers to decrypt and sniff out Facebook user IDs using one of Facebook’s APIs in bulk – therefore allowing them to gather millions of users’ personal data (name, telephone number, location, images, and more). This post is an attempt to catch Facebook’s attention to get this issue fixed.”

Moaiandin said, when he found the flaw in Facebook, he created an algorithm that will collect hundreds of phone number by itself. When Moaiandin generated the numbers, he sent the phone number via Facebook’s API. After that, he says that user personal data and profiles soon started pouring in. Getting hands on personal data of the target is the reason behind most of the Facebook hacking cases, so it will do nicely for many “dreamers”.

As per the statement by Moaiandin, the data is available publicly, however, due to infinite searches any user can make, the vulnerability could be utilized to steal data about “billions” of users.

“By using a script, an entire country’s (I tested with the US, the UK and Canada ) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details.”

He says when he founded the loophole in Facebook API, he contacted the Facebook and alerted them about the vulnerability, but Facebook stated that this was not a loophole.

A spokesperson from Facebook told Moaiandin, “We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse.”

As per Moaiandin statement, this loophole could become reason of massive phishing attacks if no further step is taken by Facebook, and the vulnerability is founded by the hackers. Facebook should take proper measures to make those APIs encrypted before this vulnerability is founded by blackhat hackers.

We are trying to contact Facebook for the reply on this loophole. As soon as we get any reply from the social giant, we will keep you posted.

COMMENTS

WORDPRESS: 0
DISQUS: 0

Personal data of Facebook users can be harvested via phone numbers

by Stella Strouvali time to read: 2 min
0