“Digi-Crims can easily scan the population of a country to find targets” claimed by a security researcher. Ways to exploit an important feature to gather personal data belonging to the users on Facebook has been figured out by Technical director at Salt Agency (Reza Moaiandin).
Default privacy setting of Facebook makes ones identity vulnerable.
If one has ever noticed the security settings on Facebook, one will find that default privacy setting has been set to ‘Everyone’ for ‘Who can look me up?’, or “Who can look you up using the phone number you provided?”
This setting allows everyone to search anything by just entering his or her phone number which will result in displaying the profile of that person.
Cybercriminals takes advantage of this privacy blunder?
Researchers are able to link thousands of phone numbers to respective Facebook accounts by exploiting this default feature and because of this flaw recently led to data stealing of about 1.5 million Facebook users.
The attackers are able to gather personally identifiable information (PII) of millions of users, including their names, telephone numbers, locations, images and more because of this flaw.
Programmatical scripts are used to generate every possible phone number combination in used Britain, US and Canada by the security researchers.
They set up a phone number generator that goes through possible numbers and use Application Programming Interface (API) to gather user IDs associated with phone number on Facebook.
Once they get the users’ IDs, the API returns user details that include phone number, name, profile picture, phone that one pertains, Facebook Messenger version & last but not the least whether somebody can push data to phones or not.
They also claimed that more information about Facebook users can also be found if they would have worked.
Moaiandin further quoted that “With this security loophole, a person with the right knowledge can harvest the non-private details of the users who allow public access to their phone numbers, enabling the harvester to then use or sell the user details for purposes that the user may not be happy with.”
Facebook has been alerted about this issue and asked them to make the Facebook APIs pre-encrypted. However, the security loophole remains intact, leaving the social site’s 1.44 billion users open to social engineering attacks and identity theft.
Facebook security team claimed that there are controls in place to monitor and mitigate such kind of API abuses. Also said that they have strict rules that limit how developers could use the APIs.
Meanwhile to fix Facebook privacy issue the security measures that can be taken to keep yourself safe from being a victim of such activities that do not share your phone number in your profile and change the ‘default’ settings to ‘Friends only’.
Just give it a thought what does a hacker gain?
He could sell the collective database in the black market, which can put a users’ life at risk and moreover one should think of what the hacker’s next step could be!!! Identity theft, financial losses, malware infections and phishing attack and what not!!!