Facebook users have been warned yet again about the data they share on the social networking site, after a software engineer managed to harvest data from thousands of uses.
He did so simply by guessing some mobile phone numbers.
Reza Moaiandin, who discovered the security flaw in Facebook’s operating system, exploited one of the social network’s privacy settings which allows anyone to find a Facebook user by searching their phone number.
Moaiandin was able to obtain the names, profile pictures and locations of thousands of users who had not chosen to make their accounts public.
The “Who can find me?” option in your Facebook settings is by default set to “public”, even if you have chosen not to display your phone number in your public profile.
The engineer generated thousands of mobile numbers using a simple algorithm, and sent them on to Facebook’s API. Within minutes, he had access to thousands of profiles.
Moaiandin said the experiment was like “walking into a bank, asking for a few thousand customers’ personal information based on their account number, and the bank telling you: ‘Here are their customer details.’”
He added on his blog that he had alerted Facebook to the loophole in advance, but had received a response which read: ‘We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse”.
