updated 10:09 pm EDT, Wed October 10, 2012
Facebook now limits tool's functionality to a few hundred at a time
On Friday, security researcher Suriya Prakash stated that the majority of Facebook-stored phone numbers are insecure, and have been so at least since September when he started examining the issue. A demonstration provided by Prakash showed that a simple script was able to collect phone numbers and corresponding Facebook names at a minimum with minimal time and cost. Facebook has since limited the utility of the script by basic flood control limitation, but Prakash claims that Facebook was not forthcoming when the social network did so.
Prakash's script allowed the user to pick a random phone number, and if the owner has security settings allowing you to do so, the user's profile photo with, at a minimum, an associate name will be displayed. The script allowed a "phone book" of sorts to be built of people who allow look ups with just a phone number.
The researcher contacted Facebook with his findings, and after an unsatisfactory back-and-forth claiming that his attack was impossible due to existing rate limitations and privacy settings preventing the attack, Prakash was able to collect data for four days with no blocks or limitations.
Again, he sent the details of the security flaw to Facebook, and received no reply. He then posted "a very small percentage" of what he managed to collect. The list he published includes 846 heavily redacted phone numbers to protect the privacy of the people mined for data.
Eventually, the scripting behavior was throttled, but a few hundred users can be collected at a time regardless of the block. Facebook has declared the phone number search capability working as intended, and told The Next Web that "The ability to search for a person by phone number is intentional behavior and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page."
While the data collected may just be limited to phone numbers, names and in some cases email addresses, the data is still available for harvesting, and can be used in conjunction with other breaches to compile data to generate a "profile" on a user for use in social engineering attacks, potentially revealing a password. When an email can be tied to a specific, repeated password, it becomes a simple matter to attack e-commerce sites using duplicated credentials and stored credit card information.[via The Next Web]