Slashdot Mirror
Facebook Lets You Harvest Account Phone Numbers
A few weeks ago a friend of mine said she was getting harassing text messages from a particular phone number, which she didn't recognize and which didn't appear in any of her own records. On a whim, I suggested entering the number into the Facebook search box, whereupon we found the guy's profile (even though he had no friends in common with the account we were logged in under), realized who he was, and ratted the thirty-something out to his Mom.
Then I thought: Is it really a good idea, for this to be possible? I tried entering consecutive phone numbers (starting with a random valid number, and varying the last 2 digits from 00 to 99) into Facebook's search box, and 13 of them came up with valid matches. None of those matches had any friends in common with the account we were searching from; as far as I can tell, anybody could enter any phone number into Facebook's search box and find the account associated with it, if there is one.
I think this has non-trivial privacy implications. (I repeatedly contacted Facebook explaining why I think this is a problem, but they haven't responded.) I'm not talking about the ability to find the account associated with a particular phone number — I think relatively few people have a legitimate need to send text messages from a truly anonymous phone number, and if they do, it's their own fault if they're dumb enough to put that number on their Facebook profile. And it wouldn't be a practical way to unmask the phone number associated with a particular account, either — even if you knew the person's area code, and narrowed down the list of possible exchange numbers following the area code, you'd still have to try tens of thousands of possibilities.
Rather, the problem is that you could use this technique to build up a database of phone numbers and associated accounts without targeting any specific phone number or account. Not only would you know the names associated with each of the numbers, you could associate the phone number with anything else that was discoverable from the person's Facebook profile &mdash which usually includes their location, their interests, and the names of their other friends. (By default, all such information is visible on your Facebook profile — even to users who aren't your Facebook friends and have no friends in common with you — but your contact information is supposed to be hidden from other users unless you've confirmed them as friends.)
An attacker could do this with email addresses too, of course, if they had a long list of email addresses known to be valid, by searching to see which ones were associated with Facebook accounts. Or they could supplement it with a list of automatically generated email addresses like john001@hotmail.com, john002@hotmail.com, similar to what spammers use in a dictionary harvest attack, and hope that some of those would map to valid accounts as well. The difference is that because the space of possible email addresses is effectively infinite, and because many people use email addresses on Facebook that aren't on any publicly circulating databases, an email search would probably not hit more than a small portion of Facebook accounts that were searchable by email address. On the other hand, since the space of possible phone numbers is finite, with enough patience you could uncover every Facebook account that had an associated phone number. As my short experiment above showed (13 out of 100 random numbers mapping to accounts), you could start building up a list of valid hits pretty quickly.
Similarly, it's already trivially possible for an attacker to build up a long list of other users' Facebook accounts - start with one person's account, go through their friends list, then visit the profile of each of those users and index their friends list, etc., like a search engine recursively spidering the Web. However, you'd be left with a large list of Facebook accounts but no way to contact them — you wouldn't have their email addresses or phone numbers, and if you send a message to a non-friend on Facebook, it goes into a subfolder of their Inbox marked "Other", which most users never check. The phone number dictionary attack described above, is the only loophole I can think of that lets you harvest a large list of Facebook users and a means to contact them in a way that they will actually see.
What could somebody do with such a database? Well, even if you only had a small list of a few thousand people, you could try spamming or scamming the numbers via text message. SMS scams are nothing new, of course, but they would probably be more effective if supplemented with the details you could get from a person's Facebook profile. (For straight-up spam, you can target it based on the interests listed in a person's profile. For scams, remember that you can use names taken from a person's friends list: "Hi, this is Jessica Smith. I have to pay off a parking ticket online or my car will get towed; can I borrow your credit card number and then I'll pay you tomorrow?")
Or if you spidered so many accounts that you built up a database which included a significant portion of all Facebook users with phone numbers on their profile, you could even launch your own publicly searchable website, splattered with grey-market pop-up advertisements: "Look up any Facebook user's phone number! If they've got their number on their Facebook profile, we have it here!" (While this would certainly raise awareness of the problem, I think it's more likely that the data harvester would decide they could make more money trading the data on the black market.)
I haven't seen this issue raised anywhere else, but lest you accuse me of "giving the bad guys ideas", I do think it's sufficiently obvious that some people on the dark side have probably discovered it, or would have, even if I hadn't brought it up. And even if any of these outcomes is unlikely, it would only have to be done once, to put the users' data permanently in the hands of the attackers, with Facebook unable to put the cat back into the bag. (Although they could at least rectify the problem for new users going forward.)
Balanced against this, what is the upside of being able to search for someone's profile on Facebook using their phone number? In my Facebook-using days, I never did it, since it was always easier to find someone using their email address, or by searching for their name, or by finding them in the friends list of one of our mutual friends. But even in a case where all you had was the person's phone number, is it too much to text them and ask for their first and last name, or their email address, so you can add them on Facebook?
Although Facebook did not respond to my inquiries, it's true that the existing behavior doesn't technically look like a violation of their Privacy Policy ("To make it easier for your friends to find you, we allow anyone with your contact information (such as email address or telephone number) to find you through the Facebook search bar..."). And I verified with a new test account that by default, in your privacy settings, under "How You Connect", the setting "Who can look you up using the email address or phone number you provided?" is set to "Everyone." The problem is that this setting casually lumps the two together, and users — as well as Facebook itself — might not realize that the implications of being findable by your phone number, are different from being findable by your email address.
Facebook should probably just go ahead and block searches by phone number — or, at least, make you fill out a CAPTCHA every time you do a phone number search, to make it harder to harvest them in bulk. There's no way to know if scammers are trying this already, but at least we can prevent it going forward. That would require a small edit to Facebook's privacy policy, but luckily for them, they can now do that without even calling a vote.
- - - - - - - - - - - - - - - - - - - - - - - - - - Do you have a feature idea for Slashdot? Contact us at feedback@slashdot.org, and give us a heads-up!
Amazingly I got spam, I'm assuming because of this, just 5 minutes ago. Saying my profile picture is cute and they want to chat on yahoo messenger. Except for that fact that my picture is the retarded kid from the Stargate movie.
last time I went for a haircut, the first thing they asked me was my name. fine, they can call me when the next haircutter is open.
then they wanted my phone #. really? for a date, maybe? ;) (some of they are definitely cute).
no, they want to collect data and sell it. how absurd.
of course I declined. if you don't need it, you don't get it. and they most certainly don't need it.
reminds me of a rental app I was once asked to fill in. it had the usual ss#, date of birth, full name - but they also asked mothers maiden name. now, I realize that with some work, you can get that from public records, but you have to work for it and its still partially a password of sorts that banks use to verify your ID when you call on the phone (or lost your password for online). a housing rental that wanted pretty much all the info that the bank would ask me to verify my id. yeah, sure, I'll just give you that (not!). when I called the realtor on this, he simply said 'good luck in your search'. basically, he knew he was asking more than he had a right to and simply avoided admitting it.
watch what you give out, people. think about every bit of info and if they don't need it, don't give it to them.
--
"It is now safe to switch off your computer."
The headline just writes itself sometimes.
The interesting mix, is that just a few stories down on the home page is the story about the Facebook VOIP app that only can call Facebook users that have phone numbers on their profiles. Sometimes it's obvious that Facebook is moving too fast to realize how their different systems interact.
They want your information so they can sell it. They want as much as they can possibly get.
Do you think Facebook even try to protect your privacy? They write a feature which you might want, but which mostly benefits them.
And they've shown time and time again, they're not very good at even trying.
That fact that Zukerfucks sister got burned with privacy settings says they're deliberately obtuse.
Sure, Facebook could do all sorts of things to protect your privacy, but that's now how they get paid.
Lost at C:>. Found at C.
Apparently you can search for lots of things on Facebook. For example:
http://media.gizmodo.co.uk/wp-content/uploads/2013/01/facebookgraphlols1.png
http://media.gizmodo.co.uk/wp-content/uploads/2013/01/facebooklols4.png
... screwed us over more than they helped genuine people find us... Oh wait. Nope. They were optional, like facebook, and mostly the people that called were worth answering for.
Don't use that on face book, or toss out the tin hat.
Why are you people still even on Failbook in the first place? Are you really such sheep that you just have to be there "because everyone else is"? If everyone else jumped off a cliff would you follow them to your death? Don't be a Lemming.
o Facebook does NOT have your best interests at heart. You're just a "product" that it sells to advertisers.
o "I have nothing to hide" is a bullshit reason to post your whole life on the Internet. You really think the government and corporations aren't mining that data to predict -- and ultimately control -- your life? Wise up.
o "I want to stay connected to people". Here's a radical idea: How about you actually see people in person and interact and "connect" with them that way? This is what you people don't seem to get: The Internet does NOT "connect" anything except computers; your "friends" on Facebook are not your "friends" unless you actually SEE them and TALK TO THEM in person on at least a semi-regular basis. Failbook "friends" may as well be machine intelligence pretending to be people for all you know. Words on a page do not constitute a relationship!
You and everyone you know who says it is wrong: Your privacy is worth something, and it is real. Don't give it away to some fucking corporation, don't give it away to ANY government for ANY reason. The Internet is not your "friends"; it is just HARDWARE. Meet with real, live people; spend time with them, TALK to them, KNOW them, not just words on a page.
Search FB in all area codes for 867-5309 and ask to speak to Jenny. Lolz
There's more to it than meets the eye. I don't have a FB account, so I can't fathom why they would ask for you to include your phone number on it for any reason. I do know that Google now REQUIRES it just to open a Gmail account.
Some part of me simply doesn't trust this. We all know about correlation engines and how they work, and we know that the NSA collects and reads your emails (http://www.guardian.co.uk/technology/2012/sep/15/data-whistleblower-constitutional-rights). Now we add into the mix your phone number, which, as we already know is subject to warrant-less tapping (http://www.businessinsider.com/senate-renews-controversial-law-which-allows-warrantless-wiretapping-of-us-citizens-2012-12) and if the number you provides happens to belong to your cellphone, we know that it can act as a covert "roving bug" (http://yro.slashdot.org/story/06/12/02/0415209/fbi-taps-cell-phone-microphones-in-mafia-case). All of this provides more data to track you, what you do, who you interact with, who you're near at any given moment and those individuals interactions... All in the name of "keeping you/this country safe".
This simply doesn't sit well with me.
Fifty watts per channel, baby cakes.
I gave FB 555-1212 as my phone number. If someone wants to contact me, FB provides lots of ways for people I know to get in touch or request I "friend" them so they can.
Cheers,
Dave
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
Except with bathroom stall numbers, the odds are greater that the call will be for a good time instead of how I can refinance my left nut for fast ca$$$$h
More Twoson than Cupertino
Where I live phone books only list landlines and the name and address tied to that land line.
A lot of people are going cell phone only. One of the benefits being you have a private number without having to pay the phone company extortion money to keep your name, number and address out of their phone book.
Do you have something like NoScript that inhibits the action of reCaptcha? Gmail requires a phone confirmation if you don't fill out the reCaptcha.
I've had to create throwaway Gmail accounts for a variety of things and have never seen the forced-phone-number thing.
You can change that in Facebook > Privacy Settings > Who can look me up? > Who can look me up by e-mail or phone
Simply change from "Everyone" to either "Friends" or "Friends of Friends".
Alternatively, do not give Facebook your phone number.
Well, I was going to wait for your karma to catch up with you, your reply really should be -1; flamebait, but clearly that isn't happening, so you'll get the response you deserve. Congratulations on selling your privacy cheap, I'm sure that the rest of the world appreciates you for it. What's the old saying, "if you didn't pay for it, YOU are the product", and you have clearly given them a lot of product to work with, and for that I thank you, as it makes the system work. People like me, who sell their privacy dear, don't get very far without the suck^Wusers that make the "you are the product" a net positive transaction for the Zuckermans of the world, as in they can provide whatever sops of value they allow us all because they're making substantially more from all the free information you're giving them. As for your armchair analysis of my past lives, good on you for giving more of a fuck about my past lives than I do, I hope it serves you well.
Just because you're paranoid doesn't mean they aren't out to get you
> And it wouldn't be a practical way to unmask the phone number
> associated with a particular account, either -- even if you knew
> the person's area code, and narrowed down the list of possible
> exchange numbers following the area code, you'd still have to
> try tens of thousands of possibilities.
That's why God made computers. Even if FB blocks cURL and the like, there are many ways to automate a browser.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Facebook has been creating a culture of security awareness for all mankind since 2005. Most people, don't know, is new to computers/tablets or technology in general, but slowly the entire world is getting a clue on what should not to be done in the network, not because boring teaching or manuals, but feeling in real life the consequences, because facebook.