Before gathering up the mob and handing out the torches and pitchforks, you should probably establish what the facts actually are. I don't think the author of this post has really done that.
The way these systems should work, and appear to work in Facebook's case, is that the amount of information revealed depends on risk analysis.
For example, I just tried recovery from an IP I've used Facebook from, and from a fresh IP from a low reputation hosting provider located in a country unrelated to the account. The first case reveals the user's name, but that's pretty reasonable since the request has a decent amount of affinity for the account. The risky looking recovey does not reveal the name,
Both logins show the first letter of the local part of the email address, which is basically no information leakage at all. (Though honestly, if you show just one letter even for non-risky recovery attempts, why bother? It can't possibly be of any significant help to the users.)
I can't tell whether the profile picture changes based on the risk analysis outcome or not, since I don't have a test account with one.
(It's still possible that this is a bad implementation; e.g. if it were to be revealing my username for any recovery attempt from the correct country, that'd be unreasonable since it's trivial to figure out the country from the phone number. But even so one should still establish what the relevant parameters are, so that we can figure out whether the behavior is reasonable.)
It actually says right there on the screenshot "You can see your name and profile picture because you're using a computer network you've logged in on before." So this is only working because the author has used this computer (or one on the same subnet) to log in to his FB account before (private browsing mode does not obscure the IP address). It will not work in the general case.
The author is a bit late to the party - this used to be a thing. IIRC you could just enter the phone in fb search and it would spit out the name + fb link even for private profiles.
Someone I knew scanned down a whole country's numbers in a couple of months (there was some rate limiting and that's about it) - and that guy just did it for fun. I'm sure there were plenty of shady companies doing the same thing.
After a while FB started cracking down on this. They even admitted they knew about it for years. Can't find a link but IIRC that was 4-5 years ago.
> if you show just one letter even for non-risky recovery attempts, why bother? It can't possibly be of any significant help to the users.
It's of much help to me.
I use different email addresses for different services, and any help the service can give me to ensure I'm giving it the right email I use on it is helpful.
> if you show just one letter even for non-risky recovery attempts, why bother? It can't possibly be of any significant help to the users.
It can be, if you have just a handful of email accounts. Also if you don't recognize the first letter you know you definitely have messed up something.
> (Though honestly, if you show just one letter even for non-risky recovery attempts, why bother? It can't possibly be of any significant help to the users.)
Why? I use multiple email addresses and on these occasions seeing that single letter (at beginning or end) helps me know which account to check for recovery steps. This is significant to me.
Y'all know we used to publish everybody's phone number in a book along with their address and then distribute copies to every household, right?
We did it for many decades and it was fine. Every pay phone, which was a phone anyone with a couple coins could make anonymous calls from, had this giant book right there for your reference. Everyone knows this, right?
If you didn't know someone's number you could look it up and call them. They wouldn't have caller ID so you'd identify yourself and then you could talk to them.
This was 99.99% of the time not a problem.
We need to stop freaking out about a "security vulnerability" that does 1/50th of a system that everyone used mostly without incident for decades.
Besides, none of this information is actually private now, it's all still for sale. These companies freak out about this stuff because your data is their product, it's not supposed to be free.
I'm sure not everyone knows this, because there are are people on this site who have not grown up with phone books.
The article talks about a reverse phone book: according to the author, given a phone number, you are able to look up name (and profile picture). To my understanding there were no reverse-lookup phone books like that back in the day.
While this is factually correct, what you are missing is the point that most people have mobile phones these days, and their phone numbers are tied to a ton of other accounts and services. These include second factor auths (using text or voice calls) for other websites, bank accounts, social security ids (I'm not talking about the US), insurance policies - the list goes on. You would not want your number to be available to the general public - because that makes you vulnerable to social engineering attacks.
The phone book was always opt-in in Germany, and reverse lookup was declared illegal after some time too. They suggested in when you signed the contract, but it was a clause you could easily not accept, at no extra cost.
Part of the issue is the meaning of privacy now. Decades were spent fighting for the right to not receive, or to receive targeted phone calls.
We're now (at least my cohort) in a world where no one, ever answers the phone. Either you're in my phone book, or I'm never answering the phone. It's rather liberating.
Attitudes have changed. A friend recently posted a newspaper clipping from nearly 40 years ago when he won some sort of "attractive baby" competition in Guildford, UK. The paper included his name and full address. Can you imagine that now and the "BUT WHAT ABOUT THE PEDOS!" response it would illicit!
I get it that the right to privacy has not been such a priority in the past, especially outside Europe, but there's nothing wrong in trying to strengthen it.
What was maybe fine a couple decades ago is no longer fine in a world where anyone from any jurisdiction in the world can abuse your privacy for fun and profit.
There was also opt-out, even decades ago. You could tell the phone company that you wanted an unlisted number, and you would be excluded from the phone book.
> Y'all know we used to publish everybody's phone number in a book along with their address and then distribute copies to every household, right?
By user choice. You had to register your phone number and address to be in that book.
It was immediately obvious to everyone what was going on: everybody received the same complete book of information and knew how that was published, with at least a system of opting-out (it was always opt-in, from what I remember).
A number of years ago I trialled a reverse look-up using this method (for both mobile numbers and email) as a grey hat project for a data aggregator I contracted to validate existing email / phone pairings (bad email and numbers gets you banned quickly by dispatch partners).
It worked because the returned "is this you" image at the time returned a filename that was a base64 encoding of the users ID for the graph interface, which at the time pulled back a surprising amount of info if you query the key directly (obtaining the key generally required you to be a friend-of-friend or closer).
I got hit rates of about 70% for a sample of ~100,000 email/mobile pairs (that were already suspected to be valid).
Sounds like the trick to get the key has been resolved (I was too early in my career to feel comfortable disclosing my research) but I am surprised a similar vector exists almost a decade on - especially after the whole Cambridge Analytica fiasco.
I have a shell script named 'lookup' that lets me know (through twilio) the location, mobile carrier, and registered name of a phone number.
I wrote it to quickly identify mobile vs. non-mobile numbers that I might text - also from the command line.
I won't paste the entire script here (mostly authentication and argument parsing) but the meat of it is:
/usr/local/bin/curl -X GET "https://lookups.twilio.com/v1/PhoneNumbers/$number?Type=carrier&Type=caller-name" -u $accountsid:$authtoken
I use this several times weekly.
EDIT: by "location" I mean their mobile country code - not their actual location which, of course, you cannot get without (ab)using SS7 which is beyond the scope of twilio ...
In countries which have number portability this may not always be right. For example my phone number returns Vodafone, which was the carrier it was originally assigned to 15 years ago, but I've been on other networks for over a decade.
I once caught a thief who stole my Nokia MS Windows phone using this feature. Apparently they didn't reset the phone in the start, but put their sim in, and some of their SMS started syncing to my other phone before it occurred to them to reset. One of the message was a Facebook password reset helper message, which had the clear phone number and link to a page which had instructions on how to reset the password.
Clicking on that link, also set a cookie IIRC on my laptop, Facebook started showing their DP as one of the options to login (it would still ask for their password so I was not able to log in to their account). Their DP URL has their user ID embedded in it which was enough to find their profile. Turns out they were friend with another person who was in my college (and where my phone was stolen from). We caught that person, involved the university administration, and made him give us the phone back. It was the whole scandal for a while. University expelled that person later on.
(Going to police was not really an option since this was in India, I wanted to resolve matter on my own if possible even when I had phone number).
When I still had a social life, Facebook was returning the account simply by searching the phone number or email.
So useful.
I also loved the first release of graph search (not the dumbed down version they released shortly after) which was letting you specify very specific queries.
I managed to find a girl I met on a train (whose number I stupidly didn't ask) just with her first name, university and knowing something she liked.
Later on, trying to replace graph search, I had to write some hacky scripts to scrape data across a network of friends (likes, groups, friends, who interacted with you on your public profile + recursively scrape data from friends of friends) to find people.
TFA is terribly irresponsible advice due to how many calls are spoofed. I don't need someone tracking me down and raining hellfire down on me over a spoofed number that happened to be mine.
I do this all the time: Don't recognize number, add to contacts, check Whatsapp picture. Doing this I found out an old aunt I hadn't talked to in a long time was pocket calling me recently :)
I once tracked down a Craigslist scammer by looking up their phone number (it was a groove number) within google voice. It showed his name, google profile, and photo. Their name helped me find their Facebook and Instagram. Long story short, I got my money back.
Iirc: Google used to enable allowing people to look you up by your phone number (it was something along the lines of: help your friends find your account). This used to be on by default, it doesn’t seem to be anymore.
Try looking up your friend’s google voice numbers in google voice and see if they have the option enabled.
So called "Identity Graph" or "Identity Resolution" providers integrate with thousands of CRM systems and harvest the customer data in bulk, then sell the combined profiles back to the companies integrating them. Get an API access, provide one piece, like a phone number, and they resolve it to names, home addresses, email addresses, social media usernames and so on.
I mean i don't like facebook, but this topic is small fish
This doesn't seem like something which is of concern but on a tangential note, I wanted to check how you guys maintain your phone number privacy. Consider the cases:
- I absolutely hate giving phone number to new ecommerce sites as it is just a database that will eventually get leaked. The only one I can trust here is Amazon probably.
- Phone number on packages. A person can read your name, address and phone number from a package which seems like a lot of info. Address is required but phone number shouldn't be as you can very well redirect the call using custom pins.
- Talking to new people on dating apps. I don't use IG, so phone number is something I have to exchange. Now I would never give my number to an anon on internet but on dating apps I have to for my own benefit.
Do you guys maintain burner phone numbers for these cases?
if you use email as some kind of account key, you can generally find out whether that email has signed up (if not the username)
automatic password reset and email verification are good for businesses and users in a lot of ways so this is a tradeoff
if FB is showing the specific account linked to an SMS that's IMO negligent but shrug, they employ more lawyers than I do and they've never been investigated by the FTC for privacy issues
I’ve seen this obfuscated by some systems by always just throwing the user a message saying the reset email has been sent so that there’s no indication whether or not the email is associated with an account or not.
Of course, that doesn’t help someone who can’t remember if they’d signed up or not but it’s probably the safer way to go in general.
In most cases attackers can use the signup flow to see if an email is registered so as long as it isn’t less protected (with a captcha etc) it isn’t any more of a privacy leak in that regard.
Is this a security problem? Depends on who you ask - but I'm willing to bet it would fall into the "accepted risk" category for the Facebook security team if they had to evaluate this.
The reality is that phone number lookup services are available all over the web which provide even more information (first+last name, address, zip code, social media profile links, etc etc etc) for free (https://www.bestfreephonelookup.com/phone-number/ as an example) - these services get their info from data aggregators and usually - your carrier! I don't see how Facebook exposing (in _limited_, very specific circumstances) the first name of a persons phone number being a security issue.
All the people in this thread screaming GDPR violation don't understand that if someone decides to stop using Facebook and delete their account, this method to lookup someone will not work. Sidenote: If you're really paranoid about having your phone number expose your real name when you're using any type of service online, just sign up for a Google Voice (voice.google.com) account and link it to your cell phone - I use this whenever I sign up for anything online and it saves me a ton of spam and scam calls.
EDIT: Facebook removed the ability to use the in-app search box in Facebook to find people based on just a phone number, this has been removed for at least 2 years.
I don't know if it still works, but some time ago I used that to find the real name of someone just using their phone number. However, that person wasn't really trying to keep their identity secret.
It depends on their settings. I usually can see photo and name as soon as I add them. For my own number however people can’t see either piece of information until I add the number to my contacts.
[+] [-] jsnell|5 years ago|reply
The way these systems should work, and appear to work in Facebook's case, is that the amount of information revealed depends on risk analysis.
For example, I just tried recovery from an IP I've used Facebook from, and from a fresh IP from a low reputation hosting provider located in a country unrelated to the account. The first case reveals the user's name, but that's pretty reasonable since the request has a decent amount of affinity for the account. The risky looking recovey does not reveal the name,
Both logins show the first letter of the local part of the email address, which is basically no information leakage at all. (Though honestly, if you show just one letter even for non-risky recovery attempts, why bother? It can't possibly be of any significant help to the users.)
I can't tell whether the profile picture changes based on the risk analysis outcome or not, since I don't have a test account with one.
(It's still possible that this is a bad implementation; e.g. if it were to be revealing my username for any recovery attempt from the correct country, that'd be unreasonable since it's trivial to figure out the country from the phone number. But even so one should still establish what the relevant parameters are, so that we can figure out whether the behavior is reasonable.)
[+] [-] dn3500|5 years ago|reply
[+] [-] kuroguro|5 years ago|reply
Someone I knew scanned down a whole country's numbers in a couple of months (there was some rate limiting and that's about it) - and that guy just did it for fun. I'm sure there were plenty of shady companies doing the same thing.
After a while FB started cracking down on this. They even admitted they knew about it for years. Can't find a link but IIRC that was 4-5 years ago.
[+] [-] cassianoleal|5 years ago|reply
It's of much help to me.
I use different email addresses for different services, and any help the service can give me to ensure I'm giving it the right email I use on it is helpful.
[+] [-] folmar|5 years ago|reply
It can be, if you have just a handful of email accounts. Also if you don't recognize the first letter you know you definitely have messed up something.
[+] [-] lolsal|5 years ago|reply
Why? I use multiple email addresses and on these occasions seeing that single letter (at beginning or end) helps me know which account to check for recovery steps. This is significant to me.
[+] [-] kristopolous|5 years ago|reply
We did it for many decades and it was fine. Every pay phone, which was a phone anyone with a couple coins could make anonymous calls from, had this giant book right there for your reference. Everyone knows this, right?
If you didn't know someone's number you could look it up and call them. They wouldn't have caller ID so you'd identify yourself and then you could talk to them.
This was 99.99% of the time not a problem.
We need to stop freaking out about a "security vulnerability" that does 1/50th of a system that everyone used mostly without incident for decades.
Besides, none of this information is actually private now, it's all still for sale. These companies freak out about this stuff because your data is their product, it's not supposed to be free.
[+] [-] wwwwewwww|5 years ago|reply
The article talks about a reverse phone book: according to the author, given a phone number, you are able to look up name (and profile picture). To my understanding there were no reverse-lookup phone books like that back in the day.
[+] [-] talonx|5 years ago|reply
[+] [-] rendx|5 years ago|reply
[+] [-] cik|5 years ago|reply
We're now (at least my cohort) in a world where no one, ever answers the phone. Either you're in my phone book, or I'm never answering the phone. It's rather liberating.
[+] [-] framecowbird|5 years ago|reply
[+] [-] richrichardsson|5 years ago|reply
[+] [-] Rygian|5 years ago|reply
What was maybe fine a couple decades ago is no longer fine in a world where anyone from any jurisdiction in the world can abuse your privacy for fun and profit.
[+] [-] Hamuko|5 years ago|reply
And we didn't use to tie second-factor authentication into SMS messages to your phone number.
[+] [-] codingdave|5 years ago|reply
[+] [-] goatcode|5 years ago|reply
[+] [-] lolsal|5 years ago|reply
[+] [-] aembleton|5 years ago|reply
Or did I have to go through the whole book to find a match?
[+] [-] throwaway2245|5 years ago|reply
By user choice. You had to register your phone number and address to be in that book.
It was immediately obvious to everyone what was going on: everybody received the same complete book of information and knew how that was published, with at least a system of opting-out (it was always opt-in, from what I remember).
[+] [-] hulahoof|5 years ago|reply
It worked because the returned "is this you" image at the time returned a filename that was a base64 encoding of the users ID for the graph interface, which at the time pulled back a surprising amount of info if you query the key directly (obtaining the key generally required you to be a friend-of-friend or closer).
I got hit rates of about 70% for a sample of ~100,000 email/mobile pairs (that were already suspected to be valid).
Sounds like the trick to get the key has been resolved (I was too early in my career to feel comfortable disclosing my research) but I am surprised a similar vector exists almost a decade on - especially after the whole Cambridge Analytica fiasco.
[+] [-] rsync|5 years ago|reply
I wrote it to quickly identify mobile vs. non-mobile numbers that I might text - also from the command line.
I won't paste the entire script here (mostly authentication and argument parsing) but the meat of it is:
I use this several times weekly.EDIT: by "location" I mean their mobile country code - not their actual location which, of course, you cannot get without (ab)using SS7 which is beyond the scope of twilio ...
[+] [-] fy20|5 years ago|reply
[+] [-] Merman_Mike|5 years ago|reply
[+] [-] hadrien01|5 years ago|reply
[+] [-] silver_quiver|5 years ago|reply
[+] [-] jokethrowaway|5 years ago|reply
So useful.
I also loved the first release of graph search (not the dumbed down version they released shortly after) which was letting you specify very specific queries. I managed to find a girl I met on a train (whose number I stupidly didn't ask) just with her first name, university and knowing something she liked.
Later on, trying to replace graph search, I had to write some hacky scripts to scrape data across a network of friends (likes, groups, friends, who interacted with you on your public profile + recursively scrape data from friends of friends) to find people.
[+] [-] ChrisMarshallNY|5 years ago|reply
I have a canned response txt, that I send, when declining the call.
I often get “message failed to send,” but I sometimes get a confused text from someone, telling me they didn’t call.
[+] [-] Igelau|5 years ago|reply
[+] [-] teekert|5 years ago|reply
[+] [-] scotty79|5 years ago|reply
[+] [-] dheera|5 years ago|reply
[+] [-] eyeareque|5 years ago|reply
Iirc: Google used to enable allowing people to look you up by your phone number (it was something along the lines of: help your friends find your account). This used to be on by default, it doesn’t seem to be anymore.
Try looking up your friend’s google voice numbers in google voice and see if they have the option enabled.
[+] [-] eyeareque|5 years ago|reply
[+] [-] Jon_Lowtek|5 years ago|reply
I mean i don't like facebook, but this topic is small fish
[+] [-] actuator|5 years ago|reply
- I absolutely hate giving phone number to new ecommerce sites as it is just a database that will eventually get leaked. The only one I can trust here is Amazon probably.
- Phone number on packages. A person can read your name, address and phone number from a package which seems like a lot of info. Address is required but phone number shouldn't be as you can very well redirect the call using custom pins.
- Talking to new people on dating apps. I don't use IG, so phone number is something I have to exchange. Now I would never give my number to an anon on internet but on dating apps I have to for my own benefit.
Do you guys maintain burner phone numbers for these cases?
[+] [-] awinter-py|5 years ago|reply
if you use email as some kind of account key, you can generally find out whether that email has signed up (if not the username)
automatic password reset and email verification are good for businesses and users in a lot of ways so this is a tradeoff
if FB is showing the specific account linked to an SMS that's IMO negligent but shrug, they employ more lawyers than I do and they've never been investigated by the FTC for privacy issues
[+] [-] MattGaiser|5 years ago|reply
Whether or not you have an account, the system says a reset email has been sent.
[+] [-] 52-6F-62|5 years ago|reply
Of course, that doesn’t help someone who can’t remember if they’d signed up or not but it’s probably the safer way to go in general.
[+] [-] evan_|5 years ago|reply
[+] [-] Buge|5 years ago|reply
https://www.ftc.gov/news-events/press-releases/2019/07/ftc-i...
[+] [-] scottmcdot|5 years ago|reply
[+] [-] Magicstatic|5 years ago|reply
The reality is that phone number lookup services are available all over the web which provide even more information (first+last name, address, zip code, social media profile links, etc etc etc) for free (https://www.bestfreephonelookup.com/phone-number/ as an example) - these services get their info from data aggregators and usually - your carrier! I don't see how Facebook exposing (in _limited_, very specific circumstances) the first name of a persons phone number being a security issue.
All the people in this thread screaming GDPR violation don't understand that if someone decides to stop using Facebook and delete their account, this method to lookup someone will not work. Sidenote: If you're really paranoid about having your phone number expose your real name when you're using any type of service online, just sign up for a Google Voice (voice.google.com) account and link it to your cell phone - I use this whenever I sign up for anything online and it saves me a ton of spam and scam calls.
EDIT: Facebook removed the ability to use the in-app search box in Facebook to find people based on just a phone number, this has been removed for at least 2 years.
[+] [-] tomp|5 years ago|reply
I don't know if it still works, but some time ago I used that to find the real name of someone just using their phone number. However, that person wasn't really trying to keep their identity secret.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] bitlevel|5 years ago|reply
https://www.unknownphone.com/
In the UK...
[+] [-] kumarvvr|5 years ago|reply
[+] [-] bamboleo|5 years ago|reply
[+] [-] zwog|5 years ago|reply
But I don't know what is the default setting.
[+] [-] jomaorfe|5 years ago|reply