Facebook exposes user profiles to phone number search

On:Wednesday, 6 March, 2019

It has recently been revealed that if you have given your phone number to Facebook to enable their SMS-based two-factor authentication (2FA) on your account, other people can find you by simply searching for your phone number.

2FA is one the major means for stopping your online accounts from being hijacked by cybercriminals who seek to steal your passwords and is highly recommended to protect your privacy.

With 2FA you enter a six-digit security code that is sent to your phone through SMS, or is generated by an ‘authenticator’ app. This means that even if a hacker has your password, they won’t have your security code.

The added bonus is that the security code changes every 30 seconds, so even if they did somehow get it, they would find using it extremely difficult. While not perfect, 2FA is one of the best methods of making it harder for the bad guys to get into your accounts.

To get your six-digit security code you need to give Facebook your phone number, obviously. Not so obvious is that Facebook seemingly lets anyone look up the owner of a phone just by entering its number.

The latest revelation follows the revelation that Facebook was allowing companies to target adverts at people by exploiting phone numbers that were given to enable 2FA. This in turn followed the issue of Facebook themselves sending unwanted, non-security-related SMS messages to the phone numbers.

This latest scandal means that if someone obtained your phone number, they could find out your name, see your profile picture and any information you made public. This is known as performing a reverse-lookup.

Facebook came in for criticism last year when it was discovered that by simply entering someone’s phone number or email address into Facebook’s search box it would perform this reverse-lookup and expose who it belonged to, displaying any information that individual had shared publicly on their profile. After much criticism Facebook eventually decided to disable the feature.

However it seems Facebook has continued this practice, by default leaving your number available for reverse-lookup by anyone. Users have the option to limit this search to people within their friends list, but as yet Facebook has not given users a way to opt-out from reverse-lookup altogether.

SMS-based 2FA is a good method and is highly recommended over using a password alone. However experts suggest that downloading an authentication app is now a better means of securing your phone and Facebook does offer this option.