Reza Moaiandin, co-founder of SALT.agency, has developed an algorithm that exploits a flaw in a Facebook default privacy setting to obtain cell phone numbers linked to Facebook accounts and then get information associated with those accounts.

The numbers were then sent to a Facebook application programming interface (API) and got back user profiles, each with an identification number that could be used to obtain information such as the user's full name, public profile information, phone make and messenger type.

Moaiandin said: “A person with the right knowledge can harvest the non-private details of the users who allow public access to their phone numbers." He added that the attacker could then sell the information to make available for unsolicited calls.

Facebook did not consider it a vulnerability. Moaiandin also wrote that Facebook explained there are controls in place to monitor and mitigate abuse but the researcher says there are ways around these measures such as using multiple accounts.

Source: SCMagazine