Facebook API flaw Left 1.44 Billion Users’ Identities at risk

Pierluigi Paganini August 12, 2015

A security flaw in the Facebook API allows hackers to decrypt and scan user IDs, nearly 1.44 billion Facebook users are at risk of identity theft.

The security researcher Reza Moaiandin, Technical Director at Salt Agency, discovered a flaw in Facebook’s API that can allow hackers to scan for user ID, and that leaves about 1.44 billion users in the hand of crooks.

“Through this, a hacker can then communicate with Facebook’s GraphQL to get as many details as possible, by passing the hashed ID.

By using a script, an entire country’s (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details (images, and so on).” The expert wrote in a blog post.

What this means is that a hacker can gain access to your personal information, checking out your name, location, phone, pictures and other personal data you may have.

“The most worrying aspect of discovering this issue is that it happened entirely by mistake.” , “I wasn’t even searching for flaws in Facebook’s security when I came across it.” Threat actors can potentially steal all user information and sell them in the black market. Continues Moaiandin.

Moaiandin had originally reported this issue on April 22, but Facebook engineers weren’t able to reproduce the error:

Facebook API flaw

After this message, Moaiandin provided Facebook with all the requested data but haven’t got any reply from Facebook, and the flaw is still present.

After 2 months passed, on July 28 Moaiandin tried to contact Facebook again about the same issue and got back the following message:

Facebook API flaw 2

Facebook appears a bit careless, and according to the expert it is putting at risk user data.

Please re-check your profile settings, and don’t leave anything public that can be used by crooks to get money.

Fortunately the problem is easy to fix as suggested by the expert, Facebook should be able to solve the issue by limiting the requests from a single user, and detecting patterns, before moving on to pre-encrypting all of it’s data.

About the Author Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Facebook, social network)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment