Facebook’s Graph Search flaw exposes names with phone numbers

facebook security

Email address collection using Facebook has been a problem that we’ve encountered before when hackers were selling email addresses by the millions. Recently a similar issue – this time having to do specifically with phone numbers – has popped up again by way of Texan mobile developer Brandon Copley who has amassed a database of 2.5 million phone numbers.

Despite having brought the issue to Facebook’s attention, Copley found that the social network preferred to brush the problem off as just a feature within Facebook that’s actually public information. If you do a quick Graph Search for individual phone numbers, granted that the user has set their profile to public and included their phone number, Graph Search will spit out the names of Facebook users associated with that phone number. 

Recognizing the technicality of scraping Graph Search for phone numbers (and email addresses), Facebook told TechCrunch, “Your privacy settings govern who can find you with search using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page.” There’s not much indication of Facebook’s willingness to patch up that loophole, it seems.

Since Facebook wasn’t going to be working on fixing the security flaw within Graph Search, Copley took matters into his own hands. He scraped 2.5 million phone numbers, apparently to prove a point, and presented the evidence to Facebook. He went as far as testing the limits of his developer account and by searching thousands of phone numbers on a daily basis, bumping this up to millions of searches using the “API token of an app that isn’t rate-limited,” until his account was consequently banned by Facebook numerous times.

Then noticing what was happening, Facebook’s lawyers sprung into action with a cease and desist letter claiming that Copley was “unlawfully acquiring Facebook user data” without permission. What its lawyers were reportedly sniffing around for included the method and script itself for how Copley was scraping Facebook’s database, and with whom he’s shared this knowledge with. Understandably Facebook may have reasons to be concerned about the safety of its users considering that Copley could use his “research” for malicious purposes, but bringing its lawyers into play really makes you question if the collection of personal information is really the non-issue that Facebook initially made it out to be.

Get our Top Stories delivered to your inbox: