New App Exposes Facebook Users' Phone Numbers

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, May 25, 2010.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Apr 2, 2008
    Likes Received:
    Chair moistener.
    "Evil," a new tool created by Tom Scott, is leveraging Facebook's Graph API to expose Facebook users' phone numbers.

    Unlike the glitch that revealed users' private chats, or the snafu that spilled personal email addresses, Evil is not a bug exploiting a Facebook security weakness.

    Rather, it's an app that searches Facebook groups created by people who've lost their phones hoping to get friends' numbers, then collects and displays the publicly-shared phone numbers.

    Like, Evil calls attention to the kind of personal information users are sharing online, often without realizing how widely it can spread.

    Although Evil censors part of the numbers that it displays, "those digits are publicly available," Scott says. "Anyone could scrape them. And produce a phone directory. Or nick them for marketing."

    Scott explains how he created the tool:

    There are uncountable numbers of groups on Facebook called "lost my phone!!!!! need ur numbers!!!!!" or something like that. Most of them are marked as 'public', and a lot of folks don't understand what that means in Facebook's context -- to Facebook, 'public' means everyone in the world, whether they're a Facebook member or not. So Evil uses the graph API to search for groups about lost phones, picks a couple at random, extracts the phone numbers, and shows them here.

    See a demo of Evil in the video below.