Facebook Confirms Data Breach and Massive Vulnerability

A self-proclaimed security enthusiast has exposed a major flaw in Facebook, one in which nearly every user's phone number can be used to view their personal information. His name is Suriya Prakash, and his method of cultivating numbers involves using Facebook's mobile site to bypass security limits imposed on the social networking site's regular portal, or so he claims. Here's how he explains it.

"About a month ago I was just browsing Facebook on my Facebook mobile application and it had an option called 'Find friends using contacts' -- what it does is that it compares the contact list from your phone to the Facebook database to see if you have any friends that are in your contacts but not on your Facebook account," Prakash told The Next Web. "I also later figured out that simply 'searching' a person's phone number (including country code) will show you their account."

Facebook Eyeballs

Using Prakash's method, a person could search a random phone number to view someone's full profile, and it works nearly every time since, according to Prakash, Facebook's privacy settings are confusing so most people haven't adequately protected themselves. That in and of itself isn't too egregious, but the fact that Prakash claimed he was able to write a script to cultivate a massive phone book of everyone who lets you look them up on Facebook is the scary part.

The script he wrote saved user names from a range of generated phone numbers. Facebook protects users from this behavior on its site by limiting the number of times you can initiate a search, but Prakash claims he performed an end-around by running the script on Facebook's mobile site, where he says it worked like a charm for four days straight. Facebook eventually caught on.

"Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked," a Facebook spokesperson explained. "We are constantly updating these systems to improve their effectiveness and address new kinds of attacks."

Prakash acknowledges that Facebook eventually blocked his script, but not before he was able to cultivate hundreds thousands of phone numbers. He also says he alerted Facebook about the vulnerability, but was ignored until his proof-of-concept started to receive media attention.
Via:  The Next Web
timaeus 2 years ago

"...he says it worked like a charm for four days straight... Facebook eventually blocked his script, but not before he was able to cultivate hundreds of phone numbers."

Hundreds of phone numbers in four days? That's not nearly as bad as the article seems to imply. I was thinking on the order of thousands or tens-of-thousands. So he was using a crude, brute-force method, which Facebook detected, and has since blocked. Cool.

Dave_HH 2 years ago

This article's headline has been updated to reflect the situation more accurately. The vulnerability is significant, demonstrating it can be done to millions of accounts.

SPrakash 2 years ago

Why did I say hundreds ? I got thousands ! .. I only released a very small portion of it (http://privatepaste.com/3b9c229921) . And the 4 days is with my macros script . But tylers script would give you one result every second ! The script was only blocked after all the media attention !



PS:Edit as appropriate ..

SMasiello 2 years ago

So much for responsible disclosure...

SPrakash 2 years ago

I gave them 1 month ! .they didnt even reply properly ! http://suriya.me/me-and-facebook-a-cautionary-tale/ read it fully !

TSmykowski 2 years ago

Well... its good that this came out before anyone used the flaw in the wrong way. Kudos for Prakash. Well.. i dont know what you think but i try to not post on Facebook anything that could not be shown public.



JMorgan1 2 years ago

Yawn, found this out in July, posted it publicly, now some 'expert' discovers it months later when it's been known about since July.


Post a Comment
or Register to comment