Earlier this month, Reza Moaiandin, software engineer and SALT.agency technical director, wrote a blog post about how he has discovered a way to harvest Facebook users’ personal data using one of Facebook’s APIs. Moaiandin says in the blog post that there is a way for hackers to use a Facebook API to “decrypt and sniff out Facebook user IDs” in bulk. Hackers can then communicate with GraphQL, a data querying language created by Facebook, “to get as many details as possible, by passing the hashed ID.”
There have been quite a few articles published about Moaiandin’s Facebook security loophole blog post. Some of the articles about this news are somewhat contradictory, so ProgrammableWeb reached out to Reza Moaiandin to find out more about this issue involving the Facebook API.
Moaiandin told ProgrammableWeb that he was only able to find people through the Facebook API who have their phone number set as public and he has not yet found any private information through the API. He also said that if Facebook users set their phone number to private, that does prevent the API from displaying their user ID. Alternatively, not providing a phone number to Facebook will safeguard accounts from this particular problem.
A Facebook spokesperson provided ProgrammableWeb with a statement:
"Everyone who uses Facebook has control of the information they share, including information on their profile and who can look them up by phone number. Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and with whom they want to share it."
Using a Facebook API, GraphQL, and a custom script, Moaiandin was able to harvest users’ public data in bulk, much of it personal data: i.e., name, telephone number, location, etc. Moaiandin told ProgrammableWeb that he was also able to obtain a few details about the users’ app information, such as version, installation time, and whether messages can be pushed to their phone.
The Facebook spokesperson stated that “the privacy of people who use Facebook is extremely important to us. We have strict rules that govern how developers may use our APIs to build their products, and in this instance all the information being returned is already designated to be Public.”
While it’s true that the information Moaiandin was able to obtain is designated as public information, the concern is that hackers can potentially use the Facebook API to harvest users’ public data in bulk (much of it personal data). Even with API rate limits in place, the potential for Facebook users’ personal data to be harvested by hackers and black market sellers is still there.
Last year, RAND Corporation published a detailed report about the hacking community and cyber black markets. According to the report, certain aspects of the cyber black market have become more profitable than the illegal drug trade. In addition, social media accounts like TwitterTrack this API and FacebookTrack this API cost more to purchase and are more profitable than stolen credit cards.
The potential for hackers and black market sellers to discover how to harvest Facebook user data in bulk, as Moaiandin did, is why he is urging Facebook to implement pre-encryption to further secure their APIs. This is a second layer of encryption, something that Apple and Google have already implemented. Moaiandin explained that when the Facebook API communications happen, the user ID can be seen in the JSON content. He is suggesting that Facebook encrypt that JSON so that it cannot be read during the communication, decrypting the JSON later so that it is harder for hackers to sniff out Facebook user IDs.
Facebook may or may not implement a second layer of encryption like Apple and Google in the future. Therefore, Facebook users are ultimately responsible for taking whatever steps they can to safeguard their Facebook accounts. In this case, by setting their phone number to private or by removing it.