Android users can relax. This isn’t about you this time. This time, it’s Facebook‘s turn to take the hot seat. Not that it has completely left the chair anyway. According to Reza Moaiandinm, Technical Director of marketing company SALT.agency, Facebook has a gaping security hole that leaves it wide open to attack and its users vulnerable to phishing attempts. While news of such security lapses aren’t exactly new, especially with Facebook involved, Moaiandinm’s beef stems from the fact that Facebook has seemingly done nothing months after he reported the exploit.
According to Moaiandinm, a hacker can run through the entire combination of potential user ID number per country in order to reach one that has an actual matching Facebook account. Once it gets a hit, the hacker can then get that particular user’s details en masse, including names, telephone numbers, photos, the works.
That was in April. Moaiandinm reported the matter to Facebook. At first he got a reply from an engineer who noted that he or she couldn’t reproduce the vulnerability and asked for more information. Moaiandinm complied with the request but received no response since then. Once again he alerted Facebook who this time says that it’s not really a big deal as it has checks in place to prevent such activities. Naturally, Moaiandinm begs to disagree considering the results of his own experiments.
For Moaiandinm, the stopgap solution is simple: limit the amount of data requests a user can make and then eventually ensuring that user IDs are encrypted. Facebook says it already does throttle such requests but probably feels that any more would negatively impact user experience.
At this point, it’s sort of like a he said, she said kind of situation, where one party claims the severity of the security hole while the other downplays it. Considering how rampant hacking incidents are these days, perhaps it something that deserves a second and deeper look.