A built-in Facebook feature has become the subject of a new controversy. The social juggernaut, by default, allows users to look up and identify a profile by simply typing in someone's phone number. A software engineer has managed to exploit this little-known feature and successfully obtained information of thousands of users.
Searching and mapping friends by simply looking up their phone numbers is a handy feature if you don't know the email address of your friend, or if their profile is hidden from public view. However, this works even if someone has added their mobile number to Facebook but not shared it with anyone using privacy controls, which means you can effectively lookup the Facebook profile associated with any mobile number.
Reza Moaiandin, the technical director of Leeds-based technology company Salt Agency, discovered this flaw. He then made a tool that would randomly generate different phone numbers and try to find a corresponding profile registered with that number. Within minutes, the tool was able to retrieve profile picture, name, and other publicly shared information of thousands of people.
It's like "walking into a bank, asking for a few thousand customers' personal information based on their account number, and the bank telling you: 'Here are their customer details." Moaiandin said in a statement to The Guardian.
Moaiandin informed Facebook about the vulnerability twice, once in April and the other time in July and urged it to add an additional layer of security. Facebook reportedly dismissed his discovery and refused to call it a vulnerability. The company also seemed rather complacent with the feature. "We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse," it reportedly told Moaiandin.