A software engineer has discovered a flaw in the Facebook search bar which leaves British users at risk of identity theft.
Reza Moaiandin, technical director at technology firm Salt, found that personal information could be discovered by simply writing a script that generated and searched mobile phone numbers. Hackers would be able to pull up Facebook usernames, telephone numbers, images and location data, writes Jason Murdock for V3.
User identity at risk of theft due to flaw
Moaiandin writes that when the algorithm is run through the Facebook API, it could allow “millions of users’ personal data” to be compromised. The flaw will allow hackers to “phish” Facebook users unless the social network takes action.
“By using a script, an entire country’s (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs. And if a number is associated with a Facebook account it can then be associated with a name and further details,” Moaiandin explained.
He suggests that Facebook combat the problem by introducing another layer of encryption. Facebook was notified of the problem on April 22 and July 28, although the company maintains that adequate protection already exists.
Facebook insists data is not at risk
A Facebook spokesman told V3 that the social network has “industry leading proprietary network monitoring tools constantly running in order to ensure data security”.
“We have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public,” the spokesperson added. “Everyone who uses Facebook has control of the information they share. This includes the information people include within their profile, and who can see this information.”
Moaiandin maintains that users are still at risk. “Unfortunately for the 1.44 billion people currently using Facebook, this means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering – at a time when an entire identity can be sold for as little as $5,” he said.
Internet security is of great concern to social media users, and Facebook recently introduced new privacy features. A Security Checkup is available to all Facebook desktop users, offering assistance in improving security.