Hello, Facebook! Here is the Stalkers’ Paradise!: Design and analysis of enumeration attack using phone numbers on Facebook

Abstract

We introduce a new privacy issue on Facebook. We were motivated by the Facebook’s search option, which exposes a user profile with his or her phone number. Based on this search option, we developed a method to automatically collect Facebook users’ personal data (e.g., phone number, location and birthday) by enumerating the possibly almost entire phone number range for the target area. To show the feasibility, we launched attacks for targeting the users who live in two specific regions (United States and South Korea) by mimicking real users’ search activities with three sybil accounts. Despite Facebook’s best efforts to stop such attempts from crawling users’ data with several security practices, 214,705 phone numbers were successfully tested and 25,518 actual users’ personal data were obtained within 15 days in California, United States; 215,679 phone numbers were also tested and 56,564 actual users’ personal data were obtained in South Korea. To prevent such attacks, we recommend several practical defense mechanisms.