A Facebook search feature has been branded a potential security risk after a software engineer revealed how personal data can be uncovered using only a mobile phone number.
The security loophole, discovered by Reza Moaiandin, technical director at technology firm Salt, found that names, telephone numbers, images and location data could be revealed by writing a script that generated and searched mobile numbers in bulk.
An algorithm run through a Facebook API could result in "millions of users' personal data" being stolen by hackers, according to Moaiandin.
The researcher also said that his discovery could result in significant phishing problems if Facebook does not limit mobile searches.
Moaiandin explained his research process in a blog post. "By using a script, an entire country's (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs. And if a number is associated with a Facebook account it can then be associated with a name and further details," he said.
Moaiandin has called on Facebook to introduce a second layer of encryption to protect against this abuse, saying that "the communication with those APIs needs to be pre-encrypted and/or other measures need to be taken before this loophole is discovered by someone who could do harm".
Facebook was alerted to the bug on 22 April and again on 28 July, but insisted that protection against this hacking technique is already in place.
A spokesperson told V3 that Facebook has "industry leading proprietary network monitoring tools constantly running in order to ensure data security".
"We have strict rules that govern how developers are able to use our APIs to build their products. Developers are only able to access information that people have chosen to make public," the spokesperson added.
"Everyone who uses Facebook has control of the information they share. This includes the information people include within their profile, and who can see this information.
"Our Privacy Basics tool has a series of helpful guides that explain how people can quickly and easily decide what information they share and who they share it with."
Despite the response, Moaiandin said that Facebook users remain at risk as the bug is now widely known.
"Unfortunately for the 1.44 billion people currently using Facebook, this means that sophisticated hackers and black market sellers can access names and mobile phone numbers in as little as an hour through reverse engineering - at a time when an entire identity can be sold for as little as $5," he said.
Facebook recently rolled out a new set of security prompts in order to bolster the privacy of its users. The three-step Security Checkup is available now globally on desktop computers and offers advice on password protection and log-in alerts.
Not all loose ends tied yet, admits Bain backer SK Hynix
It's Stack Overflow's second calculator, and first for external devs
Theresa May always the keenest cabinet voice in favour of draconian online censorship, surveillance and controls
No need to waste time on Google launch planned for 4 October