Facebook knew for years scammers were harvesting users' details with phone number searches. Did nothing  - facebook phone - Facebook knew for years scammers were harvesting users’ details with phone number searches. Did nothing

ignored a widely-known privacy flaw for , allowing scammers, spammers, and other malicious parties to scoop up virtually all users’ names and profile .

As I explained way back in 2012, when I was writing for the Sophos Naked blog, simply entering someone’s phone or email address into Facebook’s search box would perform a reverse look-up and tell you who it belonged to, with any information they shared publicly on their Facebook profile.

Facebook had set the default setting for “Who can look you up using the email address or phone number you provided?” to “Everybody”. Which, of course, was the weakest possible privacy: no privacy at all.

Facebook knew that most people would never bother to change the setting, and at the same time pressured users to enter a phone number when creating an account or during verification.

Three years passed, and a software developer wrote just a few lines of code which automatically cycled through every possible mobile number in the UK, United States, and Canada, scooping up users’ names, photos, and other .

That kind of information could be pretty useful for a scammer. For instance, they could phone you up pretending to be your mobile phone company, and refer to you by your name to appear more convincing.

Facebook didn’t stop the developer’s code from accessing hundreds of millions of its users’ profiles. What they did do is tell him that they didn’t consider it an issue.

Another three years have passed, and Facebook is finding itself in hot water after the Cambridge Analytica debacle.

With its share price slammed by allegations that its business model is not taking users’ privacy seriously, Facebook published a blog this week detailing some of the changes it was making.

Finally, Facebook is acknowledging that offering a reverse look-up based on phone numbers and email addresses is disastrous, and says it is disabling the feature.

But more than that, it is admitting that “most people on Facebook could have had their public profile scraped in this way.”

Facebook blog post  - facebook scrape - Facebook knew for years scammers were harvesting users’ details with phone number searches. Did nothing

Anyone who didn’t change their privacy settings after adding their phone number should assume that their information had been harvested.

Facebook chief Mark Zuckerberg acknowledged the scale of the problem in a Q&A with journalists:

I certainly think that it is reasonable to expect that if you had that setting turned on, that at some point during the last several years, someone has probably accessed your public information in this way.”

How long is it going to take before people wake up to what’s going on here? Facebook’s business model is no secret, and is fundamentally incompatible with a growing number of people’s desire for online privacy.

Even when told about serious problems Facebook ignored them.

- aa9ea0686c5d1aa9086d4b12c3aa05f2 s 80 d mm r g - Facebook knew for years scammers were harvesting users’ details with phone number searches. Did nothing

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and gives presentations on the topic of computer security and online privacy.

Follow him on Twitter at @gcluley, Google Plus, Facebook, or drop him an email.

Follow @gcluley

Source link


Please enter your comment!
Please enter your name here