A security flaw in the Facebook API allows hackers to decrypt and scan IDs, which left 1.44 billion Facebook users identities at risk of being stolen, web security expert has claimed.
Hackers can use a security exploit in Facebook to “decrypt and sniff out” IDs of Facebook users by using one of the vulnerable Facebook API. Allowing them to gain access to the personal information of millions of Facebook users including their name, location, phone number, pictures and other personal data.
Discovery of the Facebook Security Loophole
Researcher named Reza Moaiandin who is a Technical Director at Leeds-based tech company, Salt Agency, revealed in a technology blog stating, “The most worrying aspect of discovering this issue is that it happened entirely by mistake.” He added, “I wasn’t even searching for flaws in Facebook’s security when I came across it.”
The discovered security vulnerability would let hackers to easily scan the personal details of the whole country’s Facebook user, using an automated codes and programs, through which they can search for possible number combinations and find the user’s Facebook account details linked with those numbers.
To test this out, the security researcher himself developed an automated script that allowed him to search and find the phone numbers as well as the associated Facebook accounts by exploiting this vulnerability. He tried his script with the entire country’s phone numbers of the UK, US, and Canada.
How Risky This Vulnerability Is For The Facebook Users?
This security loophole would allow the cyber criminals to identify and track down phone numbers of the targeted victim, and once verified they can then make use of Facebook GraphQL to search for that particular number, allowing them to gain complete access over the victim’s Facebook profile including name, pictures, location and other personal information that are set as public.
“Unfortunately, for the 1.44 billion people currently using Facebook, this means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering – at a time when an entire identity can be sold for as little as $5.”
The security researcher has publicly revealed about his findings “in an attempt to catch Facebook’s attention”, and to get this serious security loophole patched as soon as possible.
He believes that this security bug could be patched by “limiting the requests from a single user” and by detecting hacker’s exploiting and searching patterns.
Facebook’s Reaction about Security Loophole
Moaiandin already reported about this security issue to the social media giant about four months ago on April 22nd! But surprisingly, the technical engineers were “unable to reproduce the issue [and] failed to understand the technical details”, the researcher wrote.
“Thank you for your reply. I have tried reproducing the behaviour that you are describing, however, I do not see a request to [censored text] when I add a contact that I know exists. Could you send a copy of the full request and perhaps more detailed instructions on exactly where you navigate to on the Messenger app to trigger this request? Also, you do not need to test this in a larger scale, the tests that you have conducted should be sufficient.”
He provided them with all the requested details but received no response from the Facebook and the security bug remained unpatched. Did you see how careless they are about their user’s privacy and sensitive data?
The concerned researcher, after waiting for two whole months, once again reported the vulnerability on July 28th and this time they responded back to him by saying that “this is not a big issue. They have set limits and I should not worry about this problem.”
“Thanks for writing in. I’ve investigated our codebase and it does appear to implement rate throttling. Note that the rate limits may be higher than your the rate you’re sending to our servers, therefore you do not appear to be blocked. This is intentional. We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse.”
Despite reporting this security issue twice, the security engineers over at Facebook do not consider this as a security vulnerability and there’s no way that the hacker can abuse it.
One of the Facebook’s spokesperson said:
“The privacy of people who use Facebook is extremely important to us. We have industry-leading proprietary network monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public.”
In simple words Facebook doesn’t give a sh** about this flaw
“Everyone who uses Facebook has control of the information they share, this includes the information people include within their profile, and who can see this information. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and who they share it with.”
How Can You Protect Yourself from This Vulnerability?
As said by the Facebook support department, if the Facebook’s vulnerable API is exploited by any hacker then they would only be able to gain access over the user’s information that he/she has “chosen to make public.”
Until the security engineers over at Facebook decides to fix this huge vulnerability, we will recommend you, as a precaution and safety of your personal information, to recheck your privacy settings and set your Facebook profile’s privacy to “Friends” or “Myself”. Make sure that nothing is set to “Public”.
Furthermore, if possible, then do not provide your phone number to the social networking websites because searching for the phone number is the initial step of this vulnerability that can be used to compromise your account information. Otherwise, changing the phone number’s privacy setting to “Friends only” would do the trick too.
Do you have any other tips to further improve the privacy of the Facebook profile? Please share with us in the comments section below… We would love to hear your thoughts and suggestions!
Report typos and corrections to firstname.lastname@example.org