The researcher generated numbers with U.S. and India country prefixes and created a simple proof-of-concept (PoC) macros script that searched for them on Facebook and saved the ones that were found to be associated with Facebook profiles, together with the names of their owners.
Prakash said that he decided to publicly disclose the vulnerability a few days after sending his PoC script to Facebook, because the company didn't respond. Prakash even published 850 partially obfuscated phone numbers and associated names which, he claimed, represented a very small portion of the data he obtained during his tests.
"It's been about a week since I started running it and I still haven't been blocked," Prakash said Monday via email. "I even informed them [Facebook] today morning (Indian time) still no reply."
Facebook did not return a request for comment sent Monday.
Following Prakash's public disclosure, Tyler Borland, a security researcher with network security vendor Alert Logic, created an even more efficient script that can run up to ten Facebook phone search processes at the same time. Borland's script is called "Facebook phone crawler" and can search for phone numbers from a user-specified range.
"With default settings I was able to verify data for 1 phone number every second," Borland said via email on Monday. "They [Facebook] do not employ any kind of rate limiting or I haven't hit that limit yet. Again, I sent hundreds of requests within short intervals of time and nothing happened."
With Borland's script running on a large botnet -- over 100,000 computers -- an attacker could find the phone numbers and names of most Facebook users with mobile numbers associated with their accounts in a matter of days, Prakash said.
It is disturbing that this vulnerability is still open and there are public tools available to exploit it, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email on Monday. Very few users alter their default privacy settings, he said.
This is another example of how a great feature can end up abused if safety mechanisms are poorly implemented or are completely missing, Botezatu said. "Unlike e-mail messages or blog comments, approaching a user by phone is much more effective in a spear vishing [voice phishing] attack, mostly because the computer user is not aware of the fact that his phone number may have ended up in the wrong hands. Coupled with the users information in their profile, an attacker can convince the user into handing personal information in no time."
Sign up for Computerworld eNewsletters.