Skip to main content
  1. Home
  2. Social Media
  3. News

Facebook loophole exposes private phone numbers, here’s how to close it

Robert Nazarian
By

facebook phone number hackers flaw search shutterstock 202780831
Shutterstock / Bloomua
Security is one tough business, as it seems like every day brings a new flaw or vulnerability. Today’s finding is a big one, since it could impact nearly 1.5 billion Facebook users.

Reza Moaiandin, the technical director at the Salt Agency, discovered a flaw with Facebook that could allow hackers to figure out your phone number, even when it’s set to private. Here’s how it works, and how to protect yourself.

Recommended Videos

How it works

Facebook’s search box allows you to find potential friends on Facebook by simply typing their name, but many people don’t know that you can also enter phone numbers and receive results. If you think that setting your phone number to private will stop it from showing in search results, think again. Setting your phone number as private only stops it from appearing in your personal profile when non-friends are viewing it.

Related

If we wrote a script and used Facebook’s API, we could have millions of phone numbers within minutes.

Facebook has an additional setting that allows anyone to search for you based on your phone number or your email address, and it’s set to Public by default. This means that anyone (friend or non-friend) entering your phone number in the Facebook search box will get information such as your name, location, and profile picture. That’s OK if the person actually knows your number, because they are most likely an acquaintance, a personal friend, or a family member.

The problem arises because a hacker can write a simple script with millions of phone numbers following a pattern for a certain area. They can then use Facebook’s API to conduct a search and get results within minutes. Imagine how devastating this would be for celebrities and politicians, especially since most people are using their mobile number exclusively these days.

To prove Moaiandin’s finding, we typed in a few phone numbers of non-friends in the Facebook search box, and bingo, the name of the person, location, and profile photo appeared for each number just like if we had typed their name. Of course, this method would be super slow since you would have to enter in each possible phone number, but it proves the flaw exists. If we wrote a script and used Facebook’s API, we could have millions of phone numbers along with who they belonged to within minutes.

What can Facebook do?

Moaiandin is advising Facebook to simply limit the amount of requests per user and detect patterns. This would be a good start, but encrypting data would be the best-case scenario.

He first contacted Facebook in April 2015 with his findings, but the first engineer didn’t understand the issue. After waiting a bit, Moaiandin notified the company again last month, and one engineer replied with, “Thanks for writing in. I investigated our codebase and it does appear to implement rate throttling. Note that the rate limits may be higher than the rate you’re sending to our servers, therefore you do not appear to be blocked. This is intentional. We do not consider it a security vulnerability, but we do have controls in place and mitigate abuse.” In other words, Facebook has some controls to prevent hackers from gathering mass phone-number lists, but they aren’t strict enough.

How to defend yourself in less than a minute

Good news! You don’t have to wait until Facebook wakes up and fixes this issue.

We contacted Reza Moaiandin and can confirm that if you follow the steps outlined below from either a desktop or a smartphone, your phone number will not be visible to hackers trying to use a script, or any random person who happens to enter it in the Facebook search field. We urge everyone to do this now, since it takes less than a minute to do.

From a desktop

  1. Open Facebook in your browser, click on the upside down triangle at the top right, and select Settings.
  2. Select Privacy from the left pane.
  3. Find Who Can Look Me Up under Privacy Settings and Tools
  4. Select Who can look me up using the phone number you provided? and change it to Friends of Friends or just Friends. Just Friends would be the ultimate protection.
  5. You will also notice an option for Who can look me up using the email address you provided? You can change this as well if you would like, but it’s a lot more difficult for a hacker to create a script of email patterns based on their complexities.

From your smartphone

  1. In the Facebook app, tap on the hamburger icon (three lines) at the top right and find Account Settings.
  2. Tap on Privacy.
  3. Find Who Can Look Me Up under How You Connect.
  4. Select Who can look me up using the phone number you provided? and change it to Friends of Friends or just Friends. Just Friends would be the ultimate protection.
  5. You will also notice an option for Who can look me up using the email address you provided? You can change this if you would like, but it’s a lot more difficult for a hacker to create a script of email patterns based on their complexities.

We will update this post when Facebook acknowledges the flaw and subsequently fixes it.

Editors' Recommendations

Topics
Robert Nazarian
Robert Nazarian
Former Digital Trends Contributor
Robert Nazarian became a technology enthusiast when his parents bought him a Radio Shack TRS-80 Color. Now his biggest…
Control Center on the iPhone is a mess — here’s how Apple can fix it
Someone holding an iPhone 14. The display is turned on and showing the Control Center.

The clock keeps ticking down to Apple’s Worldwide Developers Conference (WWDC) on June 5. This is where we expect Apple to unveil its headliner mixed reality headset, as well as the usual slew of software updates for iPhone, iPad, Apple Watch, and Mac.

Though it was originally rumored that iOS 17 would primarily focus on bug fixes and improvements, a later report said it could bring some “highly requested features from users.” And this week, there was another report that suggests iOS 17 will be bringing some big changes to the Control Center.

Read more
Bing’s AI chatbot is now on your Android phone’s keyboard — here’s how to get it
Screenshots of Bing Chat running through the SwiftKey keyboard on Android.

Chatbots have become extraordinarily popular for those looking for help with their writing — or simply mess around with them and have fun. Now, Android users have access to one such chatbot straight from their keyboard. Bing Chat is Microsoft's chatbot that rivals the likes of ChatGPT and Google Bard, and it has been added as a feature to the SwiftKey keyboard, a predictive keyboard that helps with texting.

While Bing Chat can help users compose the body of a message, it can also analyze prewritten text for your tone to suggest changes if the user wants to avoid coming across a certain way. Bing Chat has already been providing those services via the Bing app and through web browsers; however, the new integration with the SwiftKey keyboard allows users to easily access the chatbot for help whenever their keyboard is enabled.
How to use Bing Chat with the SwiftKey keyboard

Read more
With the iPhone 14 in trouble, here’s how Apple can save the iPhone 15
iPhone 14 laying face-down on a table. There's a potted plane to the right of it, slightly out of focus.

Apple’s iPhone, once lauded for its simplicity by only offering one model in different storage capacities, is more complicated than ever before. We've had at least four different versions to choose from ever since the iPhone 12 series, with the current iPhone 14 lineup offering the iPhone 14, iPhone 14 Plus, iPhone 14 Pro, and iPhone 14 Pro Max.

But one of those is not like the other, because it appears to be a technological flop. Yes, I’m talking about the iPhone 14 Plus. This is the model that Apple axed the mini size for, and it was an odd choice that I’ve been questioning ever since Apple made the official announcement. The failure of the iPhone 14 Plus is also of concern at Apple headquarters, as the company is reportedly looking at ways to re-strategize the iPhone 15 lineup in 2023.
What went wrong with the iPhone 14 Plus?

Read more