Romanian IT expert reveals Facebook vulnerability

21 October 2014

Say someone has a telephone number but doesn’t know who it belongs to. That someone can go to the Facebook homepage, but instead of logging in to his/her own account types the respective phone number instead. If that number is associated with a Facebook account, the name and profile picture of the Facebook user will then pup up.

Hence, everyone who has a phone number associated to the Facebook account risks for this data to be found by any internet user. Romanian IT security expert Bogdan Alecu wrote about this in a post on the blog of the Association for Technology and Internet, according to local Hotnews.ro.

When a user adds a mobile phone number to the Facebook account, a first setting relates to who can see this number. In another location however, the user can choose who can find him using this number, even if the previous setting says that only the user can see the number, Alecu explains.

“Unfortunately, the least permissive setting is that only friends can make such a search. So, once the number is added, at least all your friends can search for you using the phone number that only you can see. In my opinion, this restriction is a little bit useless,” writes Alecu.

Based on these settings, only the friends that know the user’s phone number can make a search on Facebook to see if the user has an account on the social network.

The vulnerability the Romanian expert says he found relates to the searches made by people who don’t even have a Facebook account, or are not logged in.

“What I used doesn’t require a Facebook account and anyone can perform such a search. Things are quite simple: once on Facebook.com, you have the option to recover your password in case you don’t remember it. In the search field, you have several options: e-mail address, telephone number, user name or the full name” writes Bogdan Alecu.

Once you’ve introduced the phone number, the result will be the account associated to this number, with the user’s name and the picture.

Find the entire article here (in Romanian).

Irina Popescu, irina.popescu@romania-insider.com

Normal

Romanian IT expert reveals Facebook vulnerability

21 October 2014

Say someone has a telephone number but doesn’t know who it belongs to. That someone can go to the Facebook homepage, but instead of logging in to his/her own account types the respective phone number instead. If that number is associated with a Facebook account, the name and profile picture of the Facebook user will then pup up.

Hence, everyone who has a phone number associated to the Facebook account risks for this data to be found by any internet user. Romanian IT security expert Bogdan Alecu wrote about this in a post on the blog of the Association for Technology and Internet, according to local Hotnews.ro.

When a user adds a mobile phone number to the Facebook account, a first setting relates to who can see this number. In another location however, the user can choose who can find him using this number, even if the previous setting says that only the user can see the number, Alecu explains.

“Unfortunately, the least permissive setting is that only friends can make such a search. So, once the number is added, at least all your friends can search for you using the phone number that only you can see. In my opinion, this restriction is a little bit useless,” writes Alecu.

Based on these settings, only the friends that know the user’s phone number can make a search on Facebook to see if the user has an account on the social network.

The vulnerability the Romanian expert says he found relates to the searches made by people who don’t even have a Facebook account, or are not logged in.

“What I used doesn’t require a Facebook account and anyone can perform such a search. Things are quite simple: once on Facebook.com, you have the option to recover your password in case you don’t remember it. In the search field, you have several options: e-mail address, telephone number, user name or the full name” writes Bogdan Alecu.

Once you’ve introduced the phone number, the result will be the account associated to this number, with the user’s name and the picture.

Find the entire article here (in Romanian).

Irina Popescu, irina.popescu@romania-insider.com

Normal
 

facebooktwitterlinkedin

1

Romania Insider Free Newsletters