A security researcher says he found a serious flaw in Facebook's privacy back in April that makes it easy for hackers to steal as much private info as possible from thousands of accounts at once.
Guess what Facebook's doing about this? Nothing. Could it really be "no big deal"?
The researcher, Reza Moaiandin, was able to gather people's names and their locations, just by typing random phone numbers into Facebook's search bar. By default, under "Who can find me?" Facebook users can be looked up by their phone number. He then created an algorithm that was able to harvest tens of thousands of phone numbers, names and more sensitive data within minutes.
Bottom line: Moaiandin claims this can lead to a huge phishing problem for Facebook's 1.44 billion users. He claims, "sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering." Facebook doesn't share that thought.
Moaiandin contacted Facebook back in April about the flaws, but Facebook wasn't able to recreate what Moaiandin found and asked for more information.
A few more months had passed and Facebook sent the following message to Moaiandin:
Thanks for writing in. I've investigated our codebase and it does appear to implement rate throttling. Note that the rate limits may be higher than your the rate you're sending to our servers, therefore you do not appear to be blocked. This is intentional. We do not consider it a security vulnerability, be we do have controls in place to monitor and mitigate abuse.
What do you think? Reza didn't release any of the details surrounding the vulnerability for security reasons, so there's not much we know other than that he found a flaw and that Facebook doesn't seem too concerned.
If you want to take precautions just in case, be sure to unlink your phone number from Facebook and make sure your privacy settings, especially for "who can find me?" are set to private.