A security expert has proven how easy it is to access user data on Facebook by revealing how he managed to get his hands on 100 million Facebook users’ private details, including phone numbers.
Ron Bowes of SkullSecurity.com proved he was able to spider through Facebook’s online directory and download 100m users’ names, address and phone numbers onto a single bit torrent file that could downloaded from his website.
Bowes, in his blog, said he was motivated by a tweet that claimed by heading to www.facebook.com/directory you can get a list of every searchable user on Facebook.
He then had the ideas of spidering the lists, generating first-initial-last-name (and similar) lists and then use a brute force hacker tool to see if he could get the information.
“But as I thought more about it, and talked to other people, I realised that this is a scary privacy issue. I can find the name of pretty much every person on Facebook. Facebook helpfully informs you that ‘anyone can opt out of appearing here by changing their Search privacy settings’ – but that doesn’t help much anymore considering I already have them all (and you will, too, when you download the torrent ). Suckers!
“Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details. If the user has set their privacy higher, at the very least I can view their name and picture. So, if any searchable user has friends that are non-searchable, those friends just opted into being searched, like it or not! Oops J”
Bowes said he wrote a quick Ruby script that he used to download the full directory.
The torrent that Bowes created includes the URL of every searchable Facebook user’s profile, the name of every searchable Facebook user and the software programmes Bowes used to hack the directory.
These tools in the hands of malevolent hackers could prove quite scary when you consider that Bowes has managed to expose one-fifth of the second most-visited website on the planet.