Following the revelations that have shown major flaws in Facebook’s privacy settings with regard to linking your mobile number, security experts are now calling for the company to get serious about protecting users.
The issue relates to Facebook and one security researcher’s discovery about the impact of a person’s profile being linked with their mobile phone number, which is by default set to public for people to find.
Using a simple algorithm, security engineer Reza Moaiandin was able to generate thousands of phone numbers, which when put through Facebook’s API for developers sent him back Facebook users’ personal data.
According to The Guardian, the biggest issue security researchers have with the revelation is that Facebook has not only been slow to react, but that people’s mobile phone numbers are set to public by default.
Computer Security Analyst Graham Cluley said:
If Facebook cares about its community, it should perhaps do more to lead them in the right direction – perhaps ensuring that users have to choose whether they want to make their phone numbers publicly accessible, rather than that being a default.
Facebook deny it is a vulnerability
Moaiandin had previously stated that he had made Facebook aware of the vulnerability back in April and July of this year, but Facebook had denied that it was a security vulnerability.
Both Moaiandin and other security researchers have called on the social network to implement a two-step encryption layer that would have prevented Moaiandin from exploiting the “Who can find me?” privacy setting.
A Facebook spokesperson has reiterated the company’s position that it offers all the necessary tools to allow someone to change the scope of their privacy settings as they see fit.
A Facebook Spokesperson said:
The privacy of people who use Facebook is extremely important to us. We have industry-leading proprietary network-monitoring tools constantly running in order to ensure data security and have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public.