back to article Wanna harvest a stranger's Facebook data? Get a mobile number and off you go

Hackers and other miscreants are able to access names, telephone numbers, images and location data in bulk from Facebook, using only a cellphone number. The loophole was revealed by software engineer Reza Moaiandin. Moaiandin, technical director at UK-based tech firm Salt.agency, exploited a little-known privacy setting in a …

  1. Zog_but_not_the_first Silver badge
    Facepalm

    Well duh!

    I can see the superficial appeal of Facebook for sharing stuff but having a smattering of IT knowledge I felt bound to explain carefully to friends, relatives, colleagues - in fact anyone who would listen - on how beneath the fun and "likes" of Facebook there beat a darker heart.

    Unfortunately. these days with my rapidly advancing Meldrewisation I keep it short and sweet.

    "Anyone with a Facebook account is an idiot".

    1. Anonymous Coward
      Anonymous Coward

      Re: Well duh!

      Phew... i thought i missed this week's copy and paste rant against anything facebook by some old granddad who "doesn't do facebook"... so arguably doesn't really have a relevant point of view.

      Also thanks for the insult because you are clearly more intelligent than EVERYONE by hiding in your facebook free cave (nothing like a self righteous IT guy to prove a stereotype).

      Really, YAWN... your views are soooo out dated you might aswell be decrying flat screens in favour of CRT. And telling anyone who will listen must really make you popular at the bingo!!!

      Yes, the internet in general does not protect your data so instead of wearing your tinfoil hat and sitting in the shed perhaps (like the rest of us) you can figure out a way to work with it to your advantage.

      For instance;- only put things on facebook that you would be happy published in the national newspaper (crazy idea, but with a small amount of intelligence it can be managed... even by us idiots).

      I use facebook quite happily, i have some vague attempts at privacy turned on... just to stop common browsing of my stuff, but i am in no doubt that a 12 year script kiddie could be in my account in seconds if he/she so desired.

      The benefits however are that i keep in touch with my friends around the world without having to actually speak to them or email etc. (I only have friends on FB i have already met in real life).

      I don't have to email photos to anyone anymore.

      Organising to meet people in a group is easy.

      I never have to sit through holiday photos ("[lie] yeah i saw them on facebook, mate").

      I don't have to remember birthdays and in fact don't even have to buy a card... just type a heartless "Happy Birthday" when facebook prompts me.

      If your life is so bereft of anything good that you can only go around telling everyone that facebook is evil, then i pity you and your re-runs of Blake7 on a Saturday night.

      Don't call me an idiot because i made different choices to you.... as that just shows you up, not me.

      1. SoaG

        Re: Well duh!

        "only put things on facebook that you would be happy published in the national newspaper"

        Metadata, you might want to look it up. Facebook knows you better than you know yourself.

        They even know how big an idiot you are.

      2. Zog_but_not_the_first Silver badge
        Trollface

        Re: Well duh!

        "Also thanks for the insult because you are clearly more intelligent than EVERYONE by hiding in your facebook free cave (nothing like a self righteous IT guy to prove a stereotype)."

        Top trolling! I thought I was quite good at it. Facebook-free cave? That's a rent opportunity if ever I saw one.

      3. Drs. Security

        Re: Well duh!

        if all FB users would view and act like the sensible you do your FB posts Jeremy 3 they would be out of business.

        I agree, this is the only way to use FB though it still is harvesting a lot of information through indirectly as well.

        OH and not using FB doesn't mean you don't use the internet at all. FB isn't similar to the internet although Zuck would rather think they are identical. But so does Google (or should I say Alphabet now).

        And to some extend Apple too.

  2. Anonymous Coward
    Anonymous Coward

    Ah, yes, that mobile phone number ..

    .. that they tried to collect from me "for my security" (ditto for Google, by the way).

    I have always refused to provide any one of my mobile numbers for anything but damn good reasons, and hearing "fro your security" come from these data scrapers doesn't qualify. It's as dumb as allowing LinkedIn to roam your email system to find "people you may know".

    Not that I live under the illusion they don't have it. They will have picked it up from someone else, via FB itself or maybe via WhatsApp, but at least it's not been legitimised by coaxing it out of me directly.

  3. Anonymous Coward
    Anonymous Coward

    "Anyone with a Facebook account is an idiot".

    Upvote for "Meldrewisation" despite that not being a word, but I think that's too harsh on users. The problem is that people are too innocent and have no idea of the consequences of FB until after they get stung, and FB (and Google) are not going to declare themselves the massive risk to privacy they are, and there is really not enough education in place to prevent people from falling for the con of "free" (comments passim).

    Especially FB has a hard drugs-alike quality of creating dependency, so it takes quite some commitment to drop it once it has ingrained itself into your life - once updating the world on your life on FB has embedded itself as a habit in your basal ganglia* it is incredibly hard to dislodge, and that's what companies like FB and Google prey on: getting you into the habit of sharing personal information.

    *: that books is very much worth reading.

    1. launcap Silver badge

      > once updating the world on your life on FB has embedded itself as a habit in your basal ganglia

      Annnd we are back to the Laundry Files. So - is FB the computer equivalent of the Necronomicon?

  4. Anonymous Coward
    Anonymous Coward

    Nice Photo

    A cross between Braveheart and Invasion of the Body Snatchers.

    wonder if Zuck hatched from a pod?

  5. GlenP Silver badge

    I use a separate email address purely for Facebook, they will never, ever get my mobile number or other personal details.

    I use it because it's the communication medium of choice for many of my friends and groups I belong to.

    1. Anonymous Coward
      Anonymous Coward

      The point is - they probably already have it.

      If you've installed the Facebook app or Whatsapp, 99% certainty. But there's a good chance of them having it already if someone you know uses the above as well. Whatsapp and programs of similar ilk just upload entire contact directories to their servers.

      No-one is under any illusion that everything is private. What IS unexpected though, is someone you don't know entering your phone number and finding out your location.

      1. Antti Roppola

        Aggregate stupidity

        Your privacy on social media can be measured as the aggregate stupidity of your friends. The trend seems to be that the purveyors pester people to upload their contact lists, complete with names, mobile phone numbers, email and real world addresses. If you are flogging a mobile phone as part of your empire, you probably don't even need to ask. It would not take too many slupred mobile phones to get nearly all the details and some statistical rigor on the reliability.

  6. Anonymous Coward
    Anonymous Coward

    If something is free....

    ... you are the product being sold.

    Give a multi-billion dollar data harvesting and advertising company your details (Google/Facebook et al) and don't be surprised if they make all your information available and monetize it at every opportunity.

    1. TheProf
      Pint

      Re: If something is free....

      I always feel more like a resource.

      1. Drs. Security

        Re: If something is free....

        haha even more so at the company you work for.

        It isn't called the human resource department for nothing ;)

    2. Drs. Security

      Re: If something is free....

      Only the sun rises and sets for free and the air is free too.

      Everything else is free as in "free beer" specifically on Internet.

  7. jonnycando
    Devil

    Only put on Facebook....

    ...rather, put nothing in Facebook. Don't join if you haven't already. If you have, well.....I don't know.

  8. Steve Knox

    Heads Will ROLL!

    This is a very serious security issue, and I'm sure someone at FaceBook will be fired for this.

    Seriously, FB does not look happily on people being able to exploit their users' data without paying Facebook for the privilege.

  9. pewpie

    WHHHHAAA?!

    You use a site that should really be called lookatme.com - and your privacy is at risk?

    Well, shit the bed.

  10. Kevin Fairhurst

    Having manually worked out who missed calls from unknown numbers were using this "feature" I'm just waiting for the next Android dialler that will automatically do a lookup using the Facebook API of anyone who calls...

    "You have 3 missed calls from Derek. His current location is the Red Lion pub"

  11. OliverJ

    ... industry-leading proprietary network monitoring tools ...

    "The privacy of people who use Facebook is extremely important to us. We have industry-leading proprietary network monitoring tools constantly running in order to ensure data security ..."

    So, basically, we have written a bunch of scripts (hence "proprietary") which monitor how many datasets are read per second by a given IP, and when the number is larger then our arbitrarily set threshold, a real human being (tm) will look into the matter. At the appropriate juncture, in due course, in the fullness of time.

    And as no one else does this kind of approach, we are not incompetent, but "industry-leading".

    That's like having a shop with expansive goods, and your whole concept of security is having a guy looking at the door for an unusually high number of people coming out of your shop with stuff under their arms.

    Of course, one could design a product to be (or at least aim to be) secure by itself, instead of monitoring the rate of theft to spot an intrusion ...

  12. Infernoz Bronze badge
    Holmes

    This is the fatal flaw of corporate, searchable 'social' media

    It is insecure by default, even if security is bolted on via HTTPS, because the intent of the APIs is social (insecure) by default; like, duh!

    If you want details to be secure, don't ever put them on any corporate (negligent for moar profit) 'social' media.

    Nothing is free, /everything/ has a cost somewhere to get or use!

    1. Drs. Security

      Re: This is the fatal flaw of corporate, searchable 'social' media

      That holds for all companies and products as: "Security is never and never will be an add-on feature"

      (nor bolted, patched or otherwise thought off afterwards etc.)

  13. jjcoolaus

    They have it all wrong!

    People who are concerned about their mobile number leaking aren't so worried about average joe spammer getting them because those same people have probably signed up to dozens of newsletters and other things with their mobile number & e-mail address.

    People are worried about "that creep" or "my ex partner" or "my ex friend" or "my bully" or whatever finding out.

    Data rate limiting preventing mass export isn't going to stop those people.

    I'm glad I deleted my facebook account 2 years ago. Never looked back. (and ensured it was properly gone too)

  14. Mark 65

    The gift that keeps on giving

    Facebook is to user privacy what Adobe Flash is to secure computing. I'm glad I personally have and use neither.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019