Facebook's phone search can be abused to find people's numbers, researchers say

Attackers can extract people's names and phone numbers from Facebook with brute force search attack, security researchers show

Attackers can abuse Facebook's phone search feature to find valid phone numbers and the name of their owners, according to security researchers.

The attack is possible because Facebook doesn't limit the number of phone number searches that can be performed by a user via the mobile version of its website, Suriya Prakash, an independent security researcher said Friday in a blog post.

Facebook allows users to associate their phone numbers with their accounts. If fact, a mobile phone number is required to verify any new Facebook account and unlock features like video uploading or timeline URL personalization.

When adding phone numbers in the "Contact info" section of their respective Facebook profile pages, users can choose if they want to make this information visible to the general public, only to their friends or if they want to keep it to themselves, which is a good privacy option.

Facebook also allows users to find other people on the website by searching for those people's phone numbers in international format.

Users can control who can locate them using this method through an option under "Privacy Settings" > "How You Connect" > "Who can look you up using the email address or phone number you provided?" which is set by default to "Everyone."

This means that even if you set your phone number's visibility to "Me only" on your profile page, anyone who knows your phone number will still be able to find you on Facebook unless you change the second setting to "Friends" or "Friends of friends." There is no option to prevent everyone from locating your profile using your phone number.

Since most people don't change the default value of this setting it is possible for an attacker to generate a list of sequential phone numbers within a chosen range -- for example from a specific operator -- and use Facebook's search box to discover who they belong to, Prakash said. Connecting a random phone number to a name is every advertiser's dream and these sort of lists would fetch a large price on the black market, he said.

Prakash claims that he shared this attack scenario with Facebook's security team in August and after an initial response on Aug. 31 all of his emails went unanswered until Oct. 2, when a Facebook representative responded and said that the rate at which users can be found on the website via any means, including phone numbers, is restricted.

However, the mobile version of Facebook's website -- m.facebook.com -- doesn't appear to have any search rate limitation, Prakash said.

The researcher generated numbers with U.S. and India country prefixes and created a simple proof-of-concept (PoC) macros script that searched for them on Facebook and saved the ones that were found to be associated with Facebook profiles, together with the names of their owners.

Prakash said that he decided to publicly disclose the vulnerability a few days after sending his PoC script to Facebook, because the company didn't respond. Prakash even published 850 partially obfuscated phone numbers and associated names which, he claimed, represented a very small portion of the data he obtained during his tests.

"It's been about a week since I started running it and I still haven't been blocked," Prakash said Monday via email. "I even informed them [Facebook] today morning (Indian time) still no reply."

Facebook did not return a request for comment sent Monday.

Following Prakash's public disclosure, Tyler Borland, a security researcher with network security vendor Alert Logic, created an even more efficient script that can run up to ten Facebook phone search processes at the same time. Borland's script is called "Facebook phone crawler" and can search for phone numbers from a user-specified range.

"With default settings I was able to verify data for 1 phone number every second," Borland said via email on Monday. "They [Facebook] do not employ any kind of rate limiting or I haven't hit that limit yet. Again, I sent hundreds of requests within short intervals of time and nothing happened."

With Borland's script running on a large botnet -- over 100,000 computers -- an attacker could find the phone numbers and names of most Facebook users with mobile numbers associated with their accounts in a matter of days, Prakash said.

It is disturbing that this vulnerability is still open and there are public tools available to exploit it, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email on Monday. Very few users alter their default privacy settings, he said.

This is another example of how a great feature can end up abused if safety mechanisms are poorly implemented or are completely missing, Botezatu said. "Unlike e-mail messages or blog comments, approaching a user by phone is much more effective in a spear vishing [voice phishing] attack, mostly because the computer user is not aware of the fact that his phone number may have ended up in the wrong hands. Coupled with the users information in their profile, an attacker can convince the user into handing personal information in no time."

Voice phishing attacks and other type of phone scams are common and their success rate is already high, Botezatu said.

"Now imagine that these crooks address you by your full name and back up their statements with information about you taken straight from your [Facebook] profile." Botezatu said.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place