The discovery of a flaw that would allow usersâ€™ phone numbers to be publicly available despite adjustments to contact info visibility hits Facebook where it hurts most: data privacy.
Security researcher Suriya Prakash found that a conflict between two Facebook account privacy settings makes it possible to look random users up and associate their names with the phone numbers they provided as an authentication element on the platform. This is because the â€œWho can look you up using the email address or phone number you providedâ€ feature is set on â€œEveryoneâ€ by default, which actually overrides cautious usersâ€™ opting for â€œOnly meâ€ for their contact info visibility.
The researcherâ€™s attempt to get corrective action from Facebook to prevent the mass phone number collection was met with a Facebook Security staff memberâ€™s reply that there is a â€œrate limiting on finding users via any means, including phone numbers.â€Â The respective limit was put to a test based on a macro script used on the Facebook mobile version.
â€œSo I decided to make a very simple POC,â€ reads Prakashâ€™s blog post detailing the experiment. â€œIt was just a macros script that read and saved the user names for a range of generated numbers, and send it to them. Many of you might be wondering how I bypassed the â€œRate limitingâ€ by Facebook.Â Well simple I used the mobile version! THATS ALL!â€
The data collection attempts were never blocked by the platform, and the possible consequences of this flaw being exploited to its full potential are impressive. â€œI also calculated that It would take a person with a large enough botnet (100k ) and aÂ slightlyÂ better script [â€¦] just a couple of days to download the ENTIRE Username:Phonenumber list of Facebookâ€™sÂ 600 million users who have mobile! Out of which at leastÂ 500 million would beÂ vulnerable,â€ added Prakash.
The vulnerabilities of online platforms do not seem to trouble the UK authorities that much. In fact, they are planning to allow users to sign in on a one-stop gov.uk website using existing online accounts, Facebook ones included. The third party providing the respective service to the user should, however, have obtained an Identity Assurance certification.
â€œWe want to enable people to be able to prove their identity online â€“ if they choose to â€“ without the need for any national, central scheme. This way the citizen remains in charge, not the state,â€ a Cabinet Office spokesman told the Telegraph.
Though, in principle, this measure would save users the trouble of yet another login, it is very possible that cybercriminals will exploit this feature to their own profit, some voices warn. â€œItâ€™s a laudable effort but given the powers of cyber-crime itâ€™s inevitable that they are going to attack the third-party identifiers and find ways through the system,â€ Peter Warren, chairman of the Cyber Security Research Institute, told the Independent.