Facebook loophole exposes private phone numbers, here’s how to close it

facebook phone number hackers flaw search shutterstock 202780831
Shutterstock / Bloomua
Security is one tough business, as it seems like every day brings a new flaw or vulnerability. Today’s finding is a big one, since it could impact nearly 1.5 billion Facebook users.

Reza Moaiandin, the technical director at the Salt Agency, discovered a flaw with Facebook that could allow hackers to figure out your phone number, even when it’s set to private. Here’s how it works, and how to protect yourself.

How it works

Facebook’s search box allows you to find potential friends on Facebook by simply typing their name, but many people don’t know that you can also enter phone numbers and receive results. If you think that setting your phone number to private will stop it from showing in search results, think again. Setting your phone number as private only stops it from appearing in your personal profile when non-friends are viewing it.

If we wrote a script and used Facebook’s API, we could have millions of phone numbers within minutes.

Facebook has an additional setting that allows anyone to search for you based on your phone number or your email address, and it’s set to Public by default. This means that anyone (friend or non-friend) entering your phone number in the Facebook search box will get information such as your name, location, and profile picture. That’s OK if the person actually knows your number, because they are most likely an acquaintance, a personal friend, or a family member.

The problem arises because a hacker can write a simple script with millions of phone numbers following a pattern for a certain area. They can then use Facebook’s API to conduct a search and get results within minutes. Imagine how devastating this would be for celebrities and politicians, especially since most people are using their mobile number exclusively these days.

To prove Moaiandin’s finding, we typed in a few phone numbers of non-friends in the Facebook search box, and bingo, the name of the person, location, and profile photo appeared for each number just like if we had typed their name. Of course, this method would be super slow since you would have to enter in each possible phone number, but it proves the flaw exists. If we wrote a script and used Facebook’s API, we could have millions of phone numbers along with who they belonged to within minutes.

What can Facebook do?

Moaiandin is advising Facebook to simply limit the amount of requests per user and detect patterns. This would be a good start, but encrypting data would be the best-case scenario.

He first contacted Facebook in April 2015 with his findings, but the first engineer didn’t understand the issue. After waiting a bit, Moaiandin notified the company again last month, and one engineer replied with, “Thanks for writing in. I investigated our codebase and it does appear to implement rate throttling. Note that the rate limits may be higher than the rate you’re sending to our servers, therefore you do not appear to be blocked. This is intentional. We do not consider it a security vulnerability, but we do have controls in place and mitigate abuse.” In other words, Facebook has some controls to prevent hackers from gathering mass phone-number lists, but they aren’t strict enough.

How to defend yourself in less than a minute

Good news! You don’t have to wait until Facebook wakes up and fixes this issue.

We contacted Reza Moaiandin and can confirm that if you follow the steps outlined below from either a desktop or a smartphone, your phone number will not be visible to hackers trying to use a script, or any random person who happens to enter it in the Facebook search field. We urge everyone to do this now, since it takes less than a minute to do.

From a desktop

  1. Open Facebook in your browser, click on the upside down triangle at the top right, and select Settings.
  2. Select Privacy from the left pane.
  3. Find Who Can Look Me Up under Privacy Settings and Tools
  4. Select Who can look me up using the phone number you provided? and change it to Friends of Friends or just Friends. Just Friends would be the ultimate protection.
  5. You will also notice an option for Who can look me up using the email address you provided? You can change this as well if you would like, but it’s a lot more difficult for a hacker to create a script of email patterns based on their complexities.

From your smartphone

  1. In the Facebook app, tap on the hamburger icon (three lines) at the top right and find Account Settings.
  2. Tap on Privacy.
  3. Find Who Can Look Me Up under How You Connect.
  4. Select Who can look me up using the phone number you provided? and change it to Friends of Friends or just Friends. Just Friends would be the ultimate protection.
  5. You will also notice an option for Who can look me up using the email address you provided? You can change this if you would like, but it’s a lot more difficult for a hacker to create a script of email patterns based on their complexities.

We will update this post when Facebook acknowledges the flaw and subsequently fixes it.

Social Media

Twitter tests home screen button that offers more control of your timeline

Twitter recently relaunched its reverse-chronological timeline, but accessing it means diving into settings. Now the company is testing a button on the main screen that lets you switch between the two different styles of timeline.

Which smartphone has the best camera? We found the sharpest shooters

They say that the best camera is always the one you have with you and that makes your smartphone camera very important indeed. Join us for a closer look at the best camera phones available right now.

Give your eyes a break with these handy blue light filters

Filtering blue light from your monitor is a great way to make long days of work easier on your eyes, especially when it gets later in the day. You can use the ones featured on MacOS and Windows, or one of a number of third-party options.

Sending SMS messages from your PC is easier than you might think

Texting is a fact of life, but what to do when you're in the middle of something on your laptop or just don't have your phone handy? Here's how to send a text message from a computer, whether you prefer to use an email client or Windows 10.

We tried all the latest and greatest smartphones to find the best of 2018

Smartphones are perhaps the most important and personal piece of tech on the planet. That’s why it’s important to pick the best phone for your individual needs. Here are the best smartphones you can buy.
Social Media

Snapchat’s PR firm is suing an influencer for failing to influence

Snapchat's PR firm is suing a social media influencer for his alleged failure to promote Spectacles on Instagram. Actor Luka Sabbat was paid $45,000 upfront, but the suit claims he fell well short of the terms of the deal.

WhatsApp finally gives in to the lure of cash-generating ads

WhatsApp's co-founders always said their messaging app would never show ads, but once the pair quit the company, it seemed inevitable that its owner, Facebook, would find a way to incorporate them.

Urban legends for the digital age: The best scary stories from the internet

In need of some simple scares this Halloween? We've combed the internet for the best creepypastas, urban legends, and scary stories. From found footage YouTube videos to a deceptively scary wiki, these stories are sure to spook.

Shazam hooks up with Instagram Stories for another way to share songs

The latest update for Apple-owned Shazam lets iPhone users share music tracks to Instagram Stories in a few quick taps. To enable the feature, just make sure you have the latest version of Shazam loaded on your handset.
Social Media

Dine and dash(board): Make a Yelp reservation from your car’s control panel

Already in the car, but can't decide where to eat? Yelp Reservations can now be added to some dashboard touchscreens. Yelp Reservations searches for restaurants within 25 miles of the vehicle's location.

Hackers sold 120 million private Facebook messages, report says

Up to 120 million private Facebook messages were being sold online by hackers this fall. The breach was first discovered in September and the messages were obtained through unnamed rogue browser extensions. 

Switch up your Reddit routine with these interesting, inspiring, and zany subs

So you've just joined the wonderful world of Reddit and want to explore it. With so many subreddits, however, navigating the "front page of the internet" can be daunting. You're in luck -- we've gathered 23 of the best subreddits to help…
Social Media

Facebook opens pop-up stores at Macy’s, but they’re not selling the Portal

Facebook has opened pop-up stores at multiple Macy's, though they're not selling Facebook's new Portal device. Instead, they're showcasing small businesses and brands that are already popular on Facebook and Instagram.
Social Media

Facebook Messenger will soon let you delete sent messages

A feature coming to Facebook Messenger will let you delete a message for up to 10 minutes after you send it. The company promised the feature months ago and this week said it really is on its way ... "soon."