Facebook has been urged to tighten its privacy settings after a software engineer was able to harvest data about thousands of users – simply by guessing their mobile numbers.

The developer obtained the names, profile pictures and locations of users who had linked their mobile number to their Facebook account but had chosen not to make it public.

Security experts said the loophole would allow hackers to build enormous databases of Facebook users for sale on internet black markets. “They should be attempting to prevent the widescale hoovering up of data, and I’m disappointed to hear that they appear to have failed on this occasion,” said Graham Cluley, a computer security analyst.

Reza Moaiandin, the software engineer who discovered the flaw, exploited a little-known privacy setting allowing anyone to find a Facebook user by typing their phone number into the social network.

By default, this Who can find me? setting is set to Everyone/public – meaning anyone can find another user by their mobile number. This is the default setting even if that user had chosen to withold their mobile number from their public profile.

Using a simple algorithm, Moaiandin generated tens of thousands of mobile numbers a second and then sent these numbers to Facebook’s application programming interface (API), a tool that allows developers to build apps linked to the social network. Within minutes, Facebook sent him scores of users’ profiles.

All the information Moaiandin received was publicly available, but the ability to link the profiles to mobile numbers on such a large scale leaves the system open to abuse.

Cluley said Facebook should make it “as difficult as possible” for third parties to scoop up even the publicly shared information belonging to Facebook’s 1.5bn users.

“If Facebook cares about its community, it should perhaps do more to lead them in the right direction – perhaps ensuring that users have to choose whether they want to make their phone numbers publicly accessible, rather than that being a default,” he said.

Moaiandin, the technical director of Leeds-based technology company Salt.agency, compared it to “walking into a bank, asking for a few thousand customers’ personal information based on their account number, and the bank telling you: ‘Here are their customer details.’”

Facebook insists it has strict rules that limit how developers are able to use its API and that it takes action against anyone who breaks them.

Moaiandin said it could take minutes to find the mobile number of a celebrity or high-profile politician if that person had connected their phone to Facebook and not selected “friends-only” under the “Who can find me?” privacy settings.

Courtesy: theguardian