Facebook allows anyone to look up people’s profiles using phone numbers
Threats / Facebook allows anyone to look up people’s profiles using phone numbers
4 March 2019
Facebook allows its users across the globe to use their phone numbers to secure their accounts with two-factor authentication. This allows users to recover their passwords, receive notifications via SMS and prevent fraudsters from hacking into their Facebook accounts.
However, Facebook is using its users’ phone numbers for much more than merely securing their accounts. In September last year, Gizmodo revealed that Facebook gave advertisers unprecedented access to users’ phone numbers so that advertisers could carry out targeted advertising based on people’s profession, likes, dislikes and their online activities.
Recently, Jeremy Burge, Chief Emoji Officer at Emojipedia, noted that Facebook is also using people’s phone numbers to allow users to find people on Facebook by typing in phone numbers. This feature is marked as “everyone” by default which means that unless a Facebook user changes who can search his/her profile on Facebook using a phone number, anyone on Facebook can look up his/her profile on Facebook.
In Facebook settings, if one checks the field “Who can look you up using the phone number you provided?”, the options available are “Everyone, Friends of friends, or Friends” which means you cannot stop your Facebook friends from looking up your profile using your phone number.
Like it or not, Facebook already knows your phone number
Burge added that even if Facebook users do not provide their phone numbers to the social media giant to activate two-factor authentication, there’s a chance that Facebook already has their phone numbers thanks to an integration with WhatsApp, Facebook Messenger, and Instagram.
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that. pic.twitter.com/zpYhuwADMS
— Jeremy Burge ?? (@jeremyburge) March 1, 2019
“*Not* giving your phone number to FB is a borderline pointless: they have it anyway. If any of your friends accepts to Messenger or WhatsApp accessing their contacts, Facebook knows your number, no matter what you do. When opening Facebook Messenger for the first time, the default action to create a new account is no longer email or username; it’s phone number. The holy grail. The unique ID,” he said.
He added that days after providing his phone number to Facebook, he got a notification from Instagram that displayed his phone number and asked him to add it to his Instagram account to receive relevant ads, receive SMS notifications, and find friends.
Burge recommends that if you want to secure your Facebook account with two-factor authentication, then instead of providing Facebook with your phone number (which will be shared with advertisers, with WhatsApp and Instagram, and allow other people to find your profile), you should use app-based 2FA and everytime you will log into your Facebook account, the third-party app will generate a unique token number.
“Yep. I can no longer keep private the phone number that I PROVIDED ONLY FOR SECURITY to Facebook. ZERO notification of this major, risky change. For years I urged dissidents at risk to use 2FA on Facebook. They were afraid of this. @Facebook doesn’t care about their safety,” wrote Zeynep Tufekci, a reporter at The New York Times.
“Based on assurances by Facebook that 2FA numbers were 2FA only, we told people—AT REAL RISK—to use 2FA even when it was just via phone number. It sucked, but getting hacked is more dangerous. Hard for dissidents to avoid Facebook. Now sold out to improve ad-targeting a tiny bit.
“Phone number is such a private, important security link. But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security. Unconscionable,” she added.