Facebook Privacy Is Good/Bad (Enough); Just Flip a Coin!
The discovery of a flaw that would allow users’ phone numbers to be publicly available despite adjustments to contact info visibility hits Facebook where it hurts most: data privacy.
Security researcher Suriya Prakash found that a conflict between two Facebook account privacy settings makes it possible to look random users up and associate their names with the phone numbers they provided as an authentication element on the platform. This is because the “Who can look you up using the email address or phone number you provided” feature is set on “Everyone” by default, which actually overrides cautious users’ opting for “Only me” for their contact info visibility.
The researcher’s attempt to get corrective action from Facebook to prevent the mass phone number collection was met with a Facebook Security staff member’s reply that there is a “rate limiting on finding users via any means, including phone numbers.” The respective limit was put to a test based on a macro script used on the Facebook mobile version.
“So I decided to make a very simple POC,” reads Prakash’s blog post detailing the experiment. “It was just a macros script that read and saved the user names for a range of generated numbers, and send it to them. Many of you might be wondering how I bypassed the “Rate limiting” by Facebook. Well simple I used the mobile version! THATS ALL!”
The data collection attempts were never blocked by the platform, and the possible consequences of this flaw being exploited to its full potential are impressive. “I also calculated that It would take a person with a large enough botnet (100k ) and a slightly better script […] just a couple of days to download the ENTIRE Username:Phonenumber list of Facebook’s 600 million users who have mobile! Out of which at least 500 million would be vulnerable,” added Prakash.
The vulnerabilities of online platforms do not seem to trouble the UK authorities that much. In fact, they are planning to allow users to sign in on a one-stop gov.uk website using existing online accounts, Facebook ones included. The third party providing the respective service to the user should, however, have obtained an Identity Assurance certification.
“We want to enable people to be able to prove their identity online – if they choose to – without the need for any national, central scheme. This way the citizen remains in charge, not the state,” a Cabinet Office spokesman told the Telegraph.
Though, in principle, this measure would save users the trouble of yet another login, it is very possible that cybercriminals will exploit this feature to their own profit, some voices warn. “It’s a laudable effort but given the powers of cyber-crime it’s inevitable that they are going to attack the third-party identifiers and find ways through the system,” Peter Warren, chairman of the Cyber Security Research Institute, told the Independent.