Printed from http://www.electronista.com

Researcher builds Facebook phone number data farming tool

updated 10:09 pm EDT, Wed October 10, 2012

Facebook now limits tool's functionality to a few hundred at a time

On Friday, security researcher Suriya Prakash stated that the majority of Facebook-stored phone numbers are insecure, and have been so at least since September when he started examining the issue. A demonstration provided by Prakash showed that a simple script was able to collect phone numbers and corresponding Facebook names at a minimum with minimal time and cost. Facebook has since limited the utility of the script by basic flood control limitation, but Prakash claims that Facebook was not forthcoming when the social network did so.

Prakash's script allowed the user to pick a random phone number, and if the owner has security settings allowing you to do so, the user's profile photo with, at a minimum, an associate name will be displayed. The script allowed a "phone book" of sorts to be built of people who allow look ups with just a phone number.

The researcher contacted Facebook with his findings, and after an unsatisfactory back-and-forth claiming that his attack was impossible due to existing rate limitations and privacy settings preventing the attack, Prakash was able to collect data for four days with no blocks or limitations.

Again, he sent the details of the security flaw to Facebook, and received no reply. He then posted "a very small percentage" of what he managed to collect. The list he published includes 846 heavily redacted phone numbers to protect the privacy of the people mined for data.

Eventually, the scripting behavior was throttled, but a few hundred users can be collected at a time regardless of the block. Facebook has declared the phone number search capability working as intended, and told The Next Web that "The ability to search for a person by phone number is intentional behavior and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page."

While the data collected may just be limited to phone numbers, names and in some cases email addresses, the data is still available for harvesting, and can be used in conjunction with other breaches to compile data to generate a "profile" on a user for use in social engineering attacks, potentially revealing a password. When an email can be tied to a specific, repeated password, it becomes a simple matter to attack e-commerce sites using duplicated credentials and stored credit card information.[via The Next Web]



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Life n Soul 8 Driver Bluetooth headphones

When it comes to music on the go, consumers generally have some options to consider when looking for the best experience. While Blueto ...

Tesoro Tizona G2N Elite gaming keyboard

The market for gaming keyboards is getting crowded, starting off with some fairly simple keyboards and diverging into the land of modu ...

GX Gaming DeathTaker mouse

Gaming is a serious endeavor for many people, driving them to look for the best performance in their system and interface devices. Fro ...

Sponsor

toggle

Most Commented

 
toggle

Popular News