A recent research by Indian security researcher Suriya Prakash, has revealed that majority of phone numbers of users are not safe on Facebook. The security researcher has claimed that around 83.3 percent of Facebook users are vulnerable. Facebook has also confirmed about the exploit by the researcher and said that it has limited the brute force search attack.
The attack is possible because Facebook doesn’t limits phone number searches (after the media exposure, Facebook has limited the searches) that can be performed by a user via the mobile version of its website. In fact, any malicious user can abuse Facebook’s phone search with brute force search attack, to find people’s numbers and along with the name of the person associated with the phone number.
What’s more concerning is the exploit works even if a person has set his phone number private. The reason for this, in Facebook, if you want to completely hide your phone number, you are required to also change your Privacy Settings. More details about how to protect your phone number on Facebook after the break.
In its defense, Facebook said, “the ability to search for a person by phone number is intentional behavior and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page.”
Facebook never clearly explains its privacy settings. The social network loves to keep the default privacy setting as Public (as also evident from its statement above). When it comes to privacy, Facebook has a lot of shortcomings. When new features that changes privacy of a user, an opt-in mechanism should be used instead of the opt-out feature, which the social network uses. It makes major changes and then asks users to opt-out of the features if they don’t want it.
How do you protect your phone number on Facebook?
1. Limit who can see your phone number on Facebook
First, you need to limit who can actually see your phone number. To do this follow the simple steps below.
- Visit Facebook.com, log in if you aren’t already. Click on your name in the top-left corner.
- Click on the “Update Info” button on the right side.
- Scroll down to “Contact Info”, click the “Edit” button.
- You will see a drop-down menu just next to your phone number. Set this option to at least “Friends” or “Custom” or “Only Me” and not “Public”.
You can now be sure that only your friend can see your number (if you have set it to “Friends”) or from friends in a custom list (if you have set it to “Custom”) or no one at all (if you have set it to “Only Me”). Thus even if your profile is public (which shouldn’t be in the first place), your phone number is not visible to the public. But completing only this step will not ensure that your phone number is safe. You need to also complete the next step.
2. Limit who can search you by your phone number on Facebook
This is the setting which let the vulnerability to be exploited. Since most people on Facebook were either not aware of this setting or forgot to set it, their phone number is still searchable by public even if they have set their phone number to private in the previous step. And as the security researcher did, malicious users too can build a database of phone numbers and easily link the numbers to Facebook profiles, which includes your name and other personal information.
As we’ve mentioned earlier too, the problem is due to the way Facebook handles privacy. Just see the screenshot below which shows the default privacy settings of how you connect with people on Facebook.
As you can see, by default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number.
To modify (and protect your privacy on Facebook) who can search for you using your email address or phone number, follow the steps below:
- Click on the account drop-down menu in the top-right corner at the top right of any Facebook page and choose “Privacy Settings”
- Under “How You Connect” heading, click on the blue “Edit Settings” link on the right-hand side.
- Select your preference from the drop-down menu next to “Who can look you up using the email address or phone number you provided?” to “Friends”.
This will protect your phone number and email address on Facebook. It will stop anyone not in your friend list from being able to search for you on Facebook if they have your phone number (or any bot which is running to fetch details using random phone numbers, as seen in the vulnerability).