2 min read

Facebook Privacy Is Good/Bad (Enough); Just Flip a Coin!

Ioana Jelea

October 08, 2012

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Facebook Privacy Is Good/Bad (Enough); Just Flip a Coin!

The discovery of a flaw that would allow users` phone numbers to be publicly available despite adjustments to contact info visibility hits Facebook where it hurts most: data privacy.

Security researcher Suriya Prakash found that a conflict between two Facebook account privacy settings makes it possible to look random users up and associate their names with the phone numbers they provided as an authentication element on the platform. This is because the “Who can look you up using the email address or phone number you provided” feature is set on “Everyone” by default, which actually overrides cautious users` opting for “Only me” for their contact info visibility.

The researcher`s attempt to get corrective action from Facebook to prevent the mass phone number collection was met with a Facebook Security staff member`s reply that there is a “rate limiting on finding users via any means, including phone numbers.” The respective limit was put to a test based on a macro script used on the Facebook mobile version.

“So I decided to make a very simple POC,” reads Prakash`s blog post detailing the experiment. “It was just a macros script that read and saved the user names for a range of generated numbers, and send it to them. Many of you might be wondering how I bypassed the “Rate limiting” by Facebook. Well simple I used the mobile version! THATS ALL!”

The data collection attempts were never blocked by the platform, and the possible consequences of this flaw being exploited to its full potential are impressive. “I also calculated that It would take a person with a large enough botnet (100k ) and a slightly better script [“¦] just a couple of days to download the ENTIRE Username:Phonenumber list of Facebook`s 600 million users who have mobile! Out of which at least 500 million would be vulnerable,” added Prakash.

The vulnerabilities of online platforms do not seem to trouble the UK authorities that much. In fact, they are planning to allow users to sign in on a one-stop gov.uk website using existing online accounts, Facebook ones included. The third party providing the respective service to the user should, however, have obtained an Identity Assurance certification.

We want to enable people to be able to prove their identity online ” if they choose to ” without the need for any national, central scheme. This way the citizen remains in charge, not the state,” a Cabinet Office spokesman told the Telegraph.

Though, in principle, this measure would save users the trouble of yet another login, it is very possible that cybercriminals will exploit this feature to their own profit, some voices warn. “It`s a laudable effort but given the powers of cyber-crime it`s inevitable that they are going to attack the third-party identifiers and find ways through the system,” Peter Warren, chairman of the Cyber Security Research Institute, told the Independent.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Common Credentials Criminals Use in IoT Dictionary Attacks Revealed Common Credentials Criminals Use in IoT Dictionary Attacks Revealed
Silviu STAHIE

November 30, 2021

3 min read
Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown Interpol Busts 1,000 Cyber Crooks and Recovers $27M in Massive Fraud Crackdown
Filip TRUȚĂ

November 29, 2021

2 min read
Social media firms will be forced to unmask online trolls, says Australia Social media firms will be forced to unmask online trolls, says Australia
Graham CLULEY

November 29, 2021

2 min read