Technical Director

  • 0
  • 0

A few months ago, I discovered a security loophole in Facebook that allows hackers to decrypt and sniff out Facebook user IDs using one of Facebook’s APIs in bulk – therefore allowing them to gather millions of users’ personal data (name, telephone number, location, images, and more). This post is an attempt to catch Facebook’s attention to get this issue fixed.

Through this, a hacker can then communicate with Facebook’s GraphQL to get as many details as possible, by passing the hashed ID.

By using a script, an entire country’s (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details (images, and so on).

Sample GraphQL response with personal Information
Sample GraphQL response with personal Information

This could be a huge phishing problem if no limit is created, and the loophole is discovered by the wrong person. The communication with those APIs needs to be pre-encrypted and/or other measures need to be taken before this loophole is discovered by someone who could do harm.

How I discovered this security loophole

Perhaps the most worrying aspect of discovering this issue is that it happened entirely by mistake – I wasn’t even searching for flaws in Facebook’s security when I came across it.

What does this issue mean for Facebook users?

Unfortunately, for the 1.44 billion people currently using Facebook, this means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering – at a time when an entire identity can be sold for as little as $5.

What can be done about this issue?

The good news is that Facebook should be able to fix the problem by limiting the requests from a single user, and detecting patterns, before moving on to pre-encrypting all of it’s data.

For those of you who are wondering why I haven’t notified Facebook about the issue, the truth is that I have – back in April (2015).

Although I did receive a reply, initially the engineer I was in contact with was unable to reproduce the issue himself, and therefore failed to understand the technical details of how it should be fixed.

Facebook's initial response to the security problem
Facebook’s initial response to the security problem

After a couple of months of waiting, I initially thought someone else will look into it and fix it but I heard nothing, so I raised the flag with them again. They finally came back to me and told me that this is not a big issue – they have set limits and I should not worry about this problem. But frankly, I am very worried.

Response from Facebook security team
Response from Facebook security team

What next?

For now, this is as much detail I can show, but I will update this post if further actions are taken. Hopefully this will be shared enough that Facebook will take notice, get in touch with us, and get this security issue fixed once and for all.

Are you currently looking for an experienced technical SEO Consultant to help you with your SEO audit?

You are in the right place. Speak to us and see how we can help you and your SEO project.

  • 0
  • 0
  • Gerry White

    With proxies, and some other simple tools – how many names and details could you export ? Probably worth a bit of time to prove the issue … (even if it is just a few hundred)

    • moaiandin

      When I did this for Facebook I tried it on a few thousands numbers and also Guardian has seen it, So it has been proven :)

      • Simon Stubbs

        Let it be exploited, the flaw is exposed among the people that will exploit it and facebook doesnt seem to care. If everyone had the knowledge to exploit it facebook would be pressured to do something.

  • Pavel Dragula

    Search endpoint in Graph API allows searching only by name when type=user ( Where is the flaw then?

    • moaiandin

      Sadly I cannot mention where this issue is as it will expose it to be exploited, Facebook is aware of where this issue is.

      • Pavel Dragula

        You can hack the ajax search form to do this but it is not possible simply by using Facebook API like I understood from this original article of yours and others that mention you. But anyway, good catch – hope they will fix it soon.

  • Aidan

    Great blog post. I reported an almost identical issue (albeit a different API) to Facebook in January 2014 but faced similar difficulties getting them to recognise the scope for abuse. I was able to lookup contiguous blocks of mobile numbers (in blocks of 5,000 at a time) with no discernible rate-limiting — I could pull them down as fast as my connection could handle (maybe ~50k numbers/min).

    If you make any headway with Facebook let us know and I will try pinging them again. It was especially worrisome as the number range I tried (NYC) had a hit-rate of about 20%.

    • Reza Moaiandin

      This is very interesting to see that you reported similar issues yet it got ignored, 20% is a very high hit rate which makes it even more interesting! I will update you on this if I hear anything.

  • Chris Sebastiano

    What program you use to setup GraphQL like that?.. Installed Node.js.. looks nothing like that