Reza Moaiandin, technical director of Salt.agency, used a coding script to generate every possible number combination in Britain, US and Canada, Daily Mail reported. He then sent millions of numbers to Facebook’s app-building programme (API) in bulk. In return, he received millions of unobstructed personal profiles.
“With this security loophole, a person with the right knowledge can harvest the non-private details of the users who allow public access to their phone numbers, enabling the harvester to then use or sell the user details for purposes that the user may not be happy with,” Moaiandin was quoted as saying by the Mail.
Despite notifying Facebook in April, and calling for APIs to be pre-encrypted, the security loophole remains intact, leaving the site’s 1.44 billion users open to hacks.
According to a report last year by the national security division of RAND Corporation — a non-profit global policy think tank based in the US — pictures, names, phone numbers, education history and locations can be sold on a network of illegal trading sites.
Twitter and Facebook accounts are now more profitable than stolen credit cards, according to the RAND report.