Vulnerability of FaceBook Application Program Interface (API) questioned the security over personal data of users

Web security experts reported that the security flaw in the API of FB allows anyone to harvest personal data of any user by making use of the user’s phone number stored on Facebook. This security failure has left billions of FB user’s personal data unsecured.

Attn: Facebook has your personal data stored.

FB the social app giant has had gone viral in the last decade and now it has 1.49 Billion active users worldwide. A study indicates that every person who has a smart mobile with FB installed on it spends 1/5th of all the day with mobile and most of the time is spent on FB.  Users may have such type of personal data stored at FB, which they do not want to be revealed by someone else, which may include cell number, friend list, pictures, updates and much more.

Any user profile can be viewed by any person who knows or guess the profile phone number.

Yes, that’s right. The security failure lead by FaceBook API let any person to view any user’s profile details which are set to public view. FB stores the mobile number used by the user to log in or to upload pictures directly from mobile phones. If someone knows or guess the users mobile number, put the number in FB API can gain access to the victim’s personal data set to publicly viewable. He further reported “Hackers could decrypt and sniff out Facebook user IDs using one of FB’s API in bulk”

After discovering and researching the issue Reza Moaiandin, Director of Salt Agency, states that when he discovered this security flaw he was not even searching for FB’s security flaws. In a technology blog he stated “The most worrying aspect of discovering this issue is that it happened entirely by mistake.”

His research shows that through the use of mobile number combinations and trial and error method, the API can allow hackers to gain access to the profiles having the mobile number stored.  To make this sure Reza developed a script that makes mobile number combinations by given formula and harvest the information linked to the profile associated with the generated mobile numbers.

Reza further reported that “Unfortunately, for the 1.4 Billion people currently using Facebook, this that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering – at a time when an entire identity can be sold for as little as $5.”

Do the Facebook security engineers know this flaw?

Yes, Reza Moaiandin reported this issue to the attention of concerned security engineers, but they refuse to materialize this issue as they failed to reproduce the effect. He again and again contacted and provides them with all requested details, but the flaw remains in its same position.

One of the Facebook’s spokesperson said “THE PRIVACY OF PEOPLE WHO USE FACEBOOK IS EXTREMELY IMPORTANT TO US. WE HAVE INDUSTRY-LEADING PROPRIETARY NETWORK MONITORING TOOLS CONSTANTLY RUNNING IN ORDER TO ENSURE DATA SECURITY AND HAVE STRICT RULES THAT GOVERN HOW DEVELOPERS ARE ABLE TO USE OUR APIS TO BUILD THEIR PRODUCTS. DEVELOPERS ARE ONLY ABLE TO ACCESS INFORMATION THAT PEOPLE HAVE CHOSEN TO MAKE PUBLIC.”

“EVERYONE WHO USES FACEBOOK HAS CONTROL OF THE INFORMATION THEY SHARE, THIS INCLUDES THE INFORMATION PEOPLE INCLUDE WITHIN THEIR PROFILE, AND WHO CAN SEE THIS INFORMATION. OUR PRIVACY BASICS TOOL HAS A SERIES OF HELPFUL GUIDES THAT EXPLAIN HOW PEOPLE CAN QUICKLY AND EASILY DECIDE WHAT INFORMATION THEY SHARE AND WHO THEY SHARE IT WITH.”

What’s the solution?

The privacy of private data at FB can be made more secur by following the simple tips below:

Set all information provided on Facebook to view by friends only.

Share the posts, pictures and other data by using the option “Share with friends only”.

Try not to attach or link your profile with your mobile number.

By following the tips above, risk of data hijacking may be reduced to some extent but, saving personal and private data online is itself inherently risky.

Leave a Reply

Your email address will not be published. Required fields are marked *