A 'white hat', or ethical, hacker in Belgium claims he has found a serious security flaw that enables attackers to learn Facebook users' personal phone numbers, and he is now threatening to release details of the exploit unless the social network agrees to listen to him and patch the vulnerability.
Inti De Ceukelaire, 21, is a creative developer for a Belgian public broadcaster who also moonlights as a white hat hacker and bug bounty hunter. He has been discovering and reporting security vulnerabilities since the age of 16, and has worked with Facebook to report critical flaws since 2013. He has also found a total of 137 vulnerabilities for the bug bounty platform HackerOne, which works with multiple big brands in the technology industry.
De Ceukelaire has discovered that it is possible to discover the phone number attached to an individual's Facebook account within 30-45 minutes for each account, if the individual comes from a country with a smaller population (11 million or less), such as Belgium, where landline telephone numbers have 12 digits or less.
He proved this by using the exploit to discover the phone numbers of high-profile Belgian celebrities and politicians, but when he informed Facebook, the social network didn't seem to take the issue seriously. This concerned him, so he began talking to Belgian media and speaking with some of the affected celebrities on TV and radio to inform the general public.
He now intends to release the details in a blog post on 13 February, in a bid to make everyone aware and to hopefully convince the social network to take it seriously.
"I've been working with Facebook submitting bugs since 2013, and sometimes they get accepted, sometimes they don't. I don't really care if they don't get accepted and most of the time they have a good reason, but this time I don't agree with their reasoning," De Ceukelaire, who has so far earned $15,000 (£12,130) from Facebook bug bounty rewards, told IBTimes UK.
"Facebook's argument is that we Belgians can 'protect' our phone number by setting the 'Who can look me up?' feature to 'friends' only, but by default it's public. My argument is that it doesn't matter which country you live in, everyone should be able to protect their phone number."
Facebook needs to properly secure users' phone numbers
The issue is that Facebook now forces users to tie their mobile phone number to their Facebook profiles in order to use its services, so if you decide that you don't want the social network to have your phone number, then you are no longer allowed to use a mobile device to upload photographs.
De Ceukelaire says that although it might be much harder to crack a US or UK user's phone number using his exploit, it is not impossible – it would just take a lot longer. This might put hackers off, but people who live in one of the 118 countries in the world with a population smaller than Belgium are at risk of having their phone numbers stolen from their Facebook profiles.
"It's not personal and I have a lot of respect for the Facebook security team – if Facebook doesn't accept a bug, you are free to blog about it. I just think that the standard privacy setting to protect phone numbers should be 'only me', which does not exist," said De Ceukelaire, who previously went public about a security flaw that enables anyone to access links shared in private conversations on Facebook Messenger in June 2016.
"I tested more and more Belgian celebrities, and 70% had their phone numbers connected with their accounts. The smaller the country, the faster it is. I tested Sweden, and it was even faster to crack phone numbers than Belgian numbers."
Facebook told IBTimes UK that while it appreciates the bug report submitted by De Ceukelaire, the ability to associate a phone number with an account is expected if the account is set up to allow that function. The social network uses rate limits to deter abuse, and is considering adjusting the rate limits for the feature.