London, UK (BBN)-Facebook users may want to think twice before putting a phone number on their profile.
The social network encourages anybody who uploads pictures from their mobile to add their number too, reports the Daily Mail.
But if they do, anybody can find that person’s name, picture and location – regardless of their privacy settings – by typing their number into the search bar.
Underlining the security dangers, a British software engineer has even harvested thousands of data about users, simply by generating random phone numbers.
Reza Moaiandin, technical director of Salt.agency, used a coding script to generate every possible number combination in the UK, US and Canada.
He then sent millions of numbers to Facebook’s app-building program (API) in bulk.
In return, he received millions of unobstructed personal profiles.
Despite notifying Facebook in April, and calling for APIs to be pre-encrypted, the security loophole remains intact, leaving the site’s 1.44 billion users open to hacks.
‘We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse,’ a Facebook spokesman told Moaiandin, according to his blog.
Moaiandin said in a statement to the Mail: ‘With this security loophole, a person with the right knowledge can harvest the non-private details of the users who allow public access to their phone numbers, enabling the harvester to then use or sell on the user details for purposes that the user may not be happy with.’
The cyber criminals’ black market has become even more profitable than the illegal drug trade, according to a report last year by the national security division of RAND Corporation.
Pictures, names, phone numbers, education history, and locations can be sold on a network of illegal trading sites, the report found.
Typically, hackers sell vast quantities of data in bulk for an astonishing profit.
Twitter and Facebook accounts are now more profitable than stolen credit cards, according to the report.
In an email to Daily Mail Online, Facebook defended its security settings, insisting users can adjust their privacy settings to stop people searching their information using a phone number.
The spokesman added that developers using the site’s APIs are subject to strict rules, and the firm uses ‘rate limits’ to prevent abuse of APIs, adding that they have taken action against developers who have abused those policies.
In a full statement, the spokesman said: ‘The privacy of people who use Facebook is extremely important to us. We have industry-leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public.
‘Everyone who uses Facebook has control of the information they share, this includes the information people include within their profile, and who can see this information. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and who they share it with.’
Offering a more bleak outlook, cyber security expert Justin Cappos, professor in computer science and engineering at NYU’s Polytechnic School of Engineering, says it would be surprising if Facebook took action on the matter.
Unlike Apple, which focuses on building products, Facebook is founded on the idea of freely collating and sharing data.
‘Their core mission statement is to allow people to go and disseminate information. So it’s not surprising that they haven’t responded to this,’ Professor Cappos told Daily Mail Online.
‘A company like Apple has quite a different perspective on who uses its devices. They are not trying to monetize you, they are trying to make really nice devices.
‘If you’re providing information to an organization like Facebook, they are making many off sharing that information about you.’
Ultimately, he says, the responsibility will always lie with the user.
‘I always say only share things on Facebook that you would post publicly. Imagine a jealous ex-lover going and finding your new number or companies using it for marketing purposes. It is all in the open.’
BBN/SK/AD