Last week, Reza Moaiandin, who is the technical director of the site salt.agency, published a post on the site about a security exploit in Facebook’s APIs that could be used to gather up personal data of Facebook users in bulk. In the post, he gives a broad picture of how the exploit works, but leaves some details out so that it is more difficult for malicious individuals to replicate it. While some may doubt the truth of this exploit without enough detail to recreate it, Moaiandin mentioned in the comments section that the Guardian has seen the exploit, which corroborates his claim that the exploit is real.
The exploit works by taking advantage of the fact that Facebook makes it possible for anyone to search for users by their phone number, even if the phone number is not publicly viewable in their account. This can be turned off, but having an account publicly searchable by phone number is the default setting, and few users think to change it. Using the Facebook APIs it is possible for hackers to repeatedly guess phone numbers, and if there is an account associated with the number, the hacker will have access to that user’s data including their name, location, and photos. It is a simple matter to write a script that can automate this process and scoop up user data in bulk.
Moaiandin discovered this exploit entirely by accident back in May, and his reason for making it public now is to force Facebook to take action. He initially informed Facebook of the issue back in May, however Facebook’s representative who responded could not recreate the problem and did not think it was a security issue. After waiting a few months, Moaiandin tried to contact them again. This time, the response stated that there are controls in place to prevent abuse of the APIs in this way, and that they did not consider it a security issue. There are limitations on the number of API requests that can be sent per second, and the response suggests that Moaiandin was not being blocked because he was below the limit.
According to the Guardian article however, “Moaiandin generated tens of thousands of mobile numbers a second and then sent these numbers to Facebook’s application programming interface (API), a tool that allows developers to build apps linked to the social network. Within minutes, Facebook sent him scores of users’ profiles.” This suggests that whatever limitations Facebook has in place are not good enough to prevent harvesting of user account data by malicious individuals if they are using this exploit.
Does Facebook need to take action to address this exploit? Leave your comments below.