Belgian security researcher Inti De Ceukelaire claims he discoved a method to figure out the phone numbers associated with many Facebook accounts, even when these phone number are not set to be displayed in public by the account owners. This is not the first time De Ceukelaire discovered a serious privacy leak in Facebook: in the summer of 2016 he found a way to spy on the links being shared by users of the social network site.
During several interviews with Belgian media outlets De Ceukelaire claimed he discovered a way to abuse a feature that allows people to be looked up by their phone number. Many Facebook accounts can be found by searching for the phone number associated with them (this setting is enabled by default). Doing the reverse is normally not possible but De Ceukelaire claims he found a way to do it even when those numbers are not set to be displayed in public.
So far De Ceukeleire has not made his method public in order to give Facebook time to patch this security hole. Facebook from their side already told him they don't consider the issue serious enough to fix. According to Facebook it would take too many tries to find out any useful information by abusing the search function and they are already countering this by rate limiting the number of requests users can make. It would take months to try all phone numbers according to Facebook. De Ceukelaire says his actual method only takes 30 minutes for a single account.
Facebook: alle GSM nrs zijn standaard openbaar. Kan het enkel manueel op 'enkel vrienden' zetten. Duurt maar 30 min om nr te achterhalen... pic.twitter.com/f9avVPkm4H
-- Inti De Ceukelaire (@intidc) January 13, 2017
De Ceukelaire has said in an interview he is planning on releasing the exploit in the wild if Facebook keeps refusing to patch the vulnerability.
Right now there is no 100% certain method to protect yourself from this method but you can limit the number of people who can use it to find out your number by going into Facebook's privacy settings and changing the option for who can look you up using the phone number you provide to 'Friends' only. That way if somebody steals your number using this method at least you'll know it was one of your friends...
