How I got your phone number through Facebook
Don’t have the time to read the entire article? Go to the FAQ section below for everything you should know.
Update: someone pointed out that PayPal actually reveals the last four digits of the phone numbers, so this technique may work for large countries as well if the target has its phone linked to its PayPal account.
Verifying one of the phone numbers I discovered
Last month, I discovered it is relatively simple to reveal private phone numbers on Facebook, uncovering some phone numbers of Belgian celebs and politicians. Even though this trick only seems to work in small countries such as Belgium (+/- 11.2 million people), a significant number of people is affected by this simple, yet effective privacy leak.
When I notified the fine folks of the Facebook Security team with my concerns, I got an answer I didn’t quite expect:
Not an issue, according to Facebook
When the “who can look me up by phone” setting is set to public, your phone number is public.
There are a few issues with this:
The setting is set to public by default
It’s confusing: even though your phone number on your profile is set to ‘only me’, the ‘who can look me up’-setting overrules this. While people think their phone number is private, it’s not:
This setting only indicates whether the phone number is visible on your profile. It does not indicate whether your phone number is public.
If this setting is set to ‘Everyone’, which is the default value, your phone number is considered public.
‘Who can look me up’ also implies the person ‘looking you up’ already has your phone number. It implies that someone if looking for your specific Facebook profile based on your phone number, and not the other way around.
There is simply no only me setting
If you link your phone number to Facebook and want to lock down your privacy settings, you can not prevent your ‘friends’ will still have access
Despite sharing my concerns with the security team, they decided not to fix the issue. Even though I do not agree I respect their decision. I did decide the write about it nonetheless — I think people have the right to know.
Many people don’t even know Facebook has their phone number. While Facebook can not just extract your phone number from your phone, it will repeatedly ask you to confirm and save your number upon launching Facebook for mobile. After a colleague deleted his phone number following my findings, Facebook immediately asked him to re-enter it:
Related Post:
- Create Facebook id Without Phone Number
- fb com login com
- fb com login com
- fb acc delete
- facebook poll feature
- facebook com login sign up n
- how to facebook id delete
- facebook stories
- how to do a facebook graph search
- android messages app
How it works
My technique uses the graph search. Most people knows that you can enter a phone number in the Graph Search to get the corresponding user:
Verifying a Belgian celeb’s phone number I found using my technique
STEP 1: The last two numbers (1 minute)
I had to find a way to test thousands of phone numbers at once. The less phone numbers I’d have to test, the quicker I could get to the full number. To eliminate the last two numbers, I used Facebook’s password reset functionality:
STEP 2: The provider number (5–35 minutes)
Here’s a typical Belgian phone number, where X equals any number from 0–9, and PP equals the provider number. I already filled in the last two digits we got in the previous step.
04PPXXXX50
(Less than 400,000 possible numbers)
Provider numbers are linked to the mobile phone provider:
Some provider numbers are more widely used than others. People working for the government most likely have a 047 number, as Proximus is the state-sponsored provider.
At this point, I wrote a program that would make a contact list with every possible number starting with, let’s say, 0479:
It took less than a second to generate a list with all 10,000 possible numbers
Then imported this list in the ‘find friends’ functionality and checked the suggested friends
There were a couple of “Jan”’s in the list, but my target was not. Don’t mind the ‘500’ number — more contacts were in imported.
No luck for 0478, either. I had to switch accounts at this time because Facebook only allows 20,000 contacts to be imported in a short timespan. I logged into another test account, tried with 0477 got “third time lucky”:
So at this moment we can add the provider number:
0477XXXX50
STEP 3: Narrowing down (10–15 minutes)
The last part only consists of some simple math: we have 10,000 possible numbers left, so if we test half of those numbers we can narrow down our pool to a handful of numbers, for example:
The target was present in this range, so this means that the fifthnumber is either 0, 1, 2, 3 or 4. 5000 [0000–5000] possible numbers left.
Let’s divide the 5000 numbers that are left by two again.
Testing for 0477 0000 50 – 0477 2500 50:
No results found
STEP 4: The final countdown (1 minute)
With only 40 possible phone numbers left, it is pretty easy to test all the numbers that are still in the pool. Just enter them in the search bar until you hit the profile you were looking for.
Testing all numbers left manually until I got the right one.
I informed the minister about this privacy leak. In a statement he said he didn’t know Facebook was leaking is phone number, but he personally doesn’t really mind as long as there’s no abuse.
0 comments:
Post a Comment
Facebook has greatly reduced the distribution of our stories in our readers' newsfeeds and is instead promoting mainstream media sources. When you share to your friends, however, you greatly help distribute our content. Please take a moment and consider sharing this article with your friends and family. Thank you.