Software developer exploits loophole to obtain thousands of names, pictures and locations of users who link their mobile phone number with account

Facebook has been urged to tighten its privacy settings after a software engineer was able to harvest data about thousands of users – simply by guessing their mobile numbers.

The developer obtained the names, profile pictures and locations of users who had linked their mobile number to their Facebook account but had chosen not to make it public.

Security experts said the loophole would allow hackers to build enormous databases of Facebook users for sale on internet black markets. “They should be attempting to prevent the widescale hoovering up of data, and I’m disappointed to hear that they appear to have failed on this occasion,” said Graham Cluley, a computer security analyst.

Reza Moaiandin, the software engineer who discovered the flaw, exploited a little-known privacy setting allowing anyone to find a Facebook user by typing their phone number into the social network.

By default, this Who can find me? setting is set to Everyone/public – meaning anyone can find another user by their mobile number. This is the default setting even if that user had chosen to withold their mobile number from their public profile.



Using a simple algorithm, Moaiandin generated tens of thousands of mobile numbers a second and then sent these numbers to Facebook’s application programming interface (API), a tool that allows developers to build apps linked to the social network. Within minutes, Facebook sent him scores of users’ profiles.

All the information Moaiandin received was publicly available, but the ability to link the profiles to mobile numbers on such a large scale leaves the system open to abuse.

Cluley said Facebook should make it “as difficult as possible” for third parties to scoop up even the publicly shared information belonging to Facebook’s 1.5bn users.

If Facebook cares about its community, it should perhaps do more to lead them in the right direction Graham Cluley, computer security analyst

“If Facebook cares about its community, it should perhaps do more to lead them in the right direction – perhaps ensuring that users have to choose whether they want to make their phone numbers publicly accessible, rather than that being a default,” he said.

Moaiandin, the technical director of Leeds-based technology company Salt.agency, compared it to “walking into a bank, asking for a few thousand customers’ personal information based on their account number, and the bank telling you: ‘Here are their customer details.’”

He alerted Facebook to the vulnerability in April through its “bug bounty” scheme and then again on 28 July, when a Facebook security engineer said it had measures to prevent suspicious behaviour. The Facebook employee added: “We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse.”

Facebook insists it has strict rules that limit how developers are able to use its API and that it takes action against anyone who breaks them.



Moaiandin said it could take minutes to find the mobile number of a celebrity or high-profile politician if that person had connected their phone to Facebook and not selected “friends-only” under the “Who can find me?” privacy settings.

The developer also urged Facebook to introduce a second layer of encryption, as Apple and Google have in place, which would have prevented him from finding the users’ information.

Security researcher Brian Honan said people needed to be more aware of how much information they shared online. “The issue is a combination of social networks not gathering and retaining as much information on people as they do, and people being more aware of the risks they face when posting so much details online,” he said.

A Facebook spokeswoman said: “The privacy of people who use Facebook is extremely important to us. We have industry-leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public.

“Everyone who uses Facebook has control of the information they share, this includes the information people include within their profile, and who can see this information. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and who they share it with.”