A mobile developer from Texas was able to scrape 2.5 million phone numbers of Facebook users by exploiting the social network's Graph Search. While these information were kept public by users, Facebook has sent a cease and desist notice to the hacker.
Brandon Copley who is based in Dallas argued that he was able to get the phone numbers from Facebook profiles that were accessible to the public or from profiles where the phone numbers were not omitted. However, Copley noted that a lot of the numbers are empty, inactive or not connected to a Facebook user with privacy settings set to public.
Copley's exploitation of the features of the Graph Search feature of Facebook aim to expose a security hole in the social networking platform but Facebook disagreed.
"Your privacy settings govern who can find you with search using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page," a Facebook spokesperson told TechCrunch in an interview.
The data scraping of the mobile developer was triggered by a recent incident where some of Copley's valuables were stolen. He found some of his belongings on Craigslist and then traced the phone numbers of the culprits using Facebook's Graph Search. Discovering that the search feature may lead to privacy issues, Copley sent an email to Facebook.
"I agree with you personally. We do have antiscraping protections (ratelimiting, bad ip blocks, etc) but it comes down to people controlling their privacy, we can make the privacy tools available and we can encourage them to use them but we could never just switch their privacy settings for them. So there is not much more we can do," said an email reply from a member of Facebook's security team.
Copley is a Facebook developer and he was determined to show Facebook that there is really a big possibility that Graph Search can be abused by data miners. Copley used his access tokens to do thousands of searches per day. He has collected less than 2.5 million before he received the notice from Facebook ordering him to stop.
This report about a weakness in security features of Facebook follows the June 21 discovery of a bug that exposed information of six million users.
The Graph Search feature was rolled out by Facebook back in January.