Graph Search

Facebook Graph Search API Used To Brute Force Phone Numbers From Profiles

Facebook’s Graph Search feature hasn’t been released yet. But white hat hackers are already harnessing the powerful social search engine to gather sensitive information on Facebook users.

Facebook Graph Search
An API for Facebook’s Graph Search feature can be used to link phone numbers to Facebook profiles, harvesting user information from the network.

A new module for Recon-ng an open source “web reconnaissance framework” allows anyone with a Facebook Developer account to use Graph Search and Recon-ng’s features to harvest phone numbers associated with Facebook user accounts.

The tool, dubbed “Facebook Harvester” allows brute force searching by partial phone numbers, using brute-force techniques, according to a blog post by Rob Simon, a Canton, Ohio- based security professional.

Simon, who counts penetration testing and reverse engineering  among his skill set, wrote about his experiments using Graph Search on his blog, kc57.com. in April.

In a phone interview with The Security Ledger, Simon said his work doing penetration testing drew him to the Graph Search API, which allows programmatic interaction with the Graph Search engine. He said the capability of linking social media accounts or e-mail with phone numbers can be a powerful social engineering tool.

With nothing more than a phone number, the module can be used to locate a corresponding Facebook account. Those conducing open source research can even search by partial phone numbers. The ability to search by a partial number is particularly useful in finding a Facebook user’s number, because Facebook’s password reset feature reveals the last four digits of a cell phone number when the account is set up to receive SMS-based password reset messages, Simon wrote.

In one powerful example of Graph Search’s capabilities, Simon entered just an area code, returning a list of names, Facebook usernames and account profiles, gender and full phone numbers in that area.

There are some limitations to the Facebook Harvester module. It is a proof-of-concept and only useful for gathering phone numbers. The plug-in also requires an active authentication token from Facebook to work. Those are issued from Facebook’s developer site and only last for about an hour, Simon notes.

Still, the capabilities of the module, which queries the Graph Search API from within Recon-ng, are impressive and underscore the ways in which Facebook’s powerful Graph Search feature could be abused, even though it respects user profile privacy settings.

Facebook declined to comment on “Facebook Harvester,” but spokesman Frederic Wolens noted that Facebook has rate limits on queries using the API, in addition to the time limits on the authentication tokens.

Graph Search Brute Force
Screen capture showing Facebook Harvester results for a search by area and exchange code.

He also noted that Simon’s module is a violation of Facebook’s Terms of Use, which prohibits acquiring users’ information or scraping the site using automated means “without prior permission.”

Simon said he wasn’t aware of the Terms of Use violation, but that the API for Graph Search is explicitly designed for the kind of information harvesting that his Recon-ng module performs.

He said that the API can be used to query a wide range of information about a user’s profile. However, most searches are limited to the population of users who are in the Facebook friend network of the account conducting the queries. Only searches for the user name, e-mail and phone number will work across the larger population of Facebook users.

Online privacy experts were quick to express concern about the tool, which makes nominally “public” profile information much easier to search for. That conversation took on new dimensions after online-personality Tom Scott illustrated the way Graph Searches could be used to highlight Facebook profiles in  surprising (and embarrassing) ways – “Married people who like ‘Prostitutes’” (and their spouses) and “Current employees who like ‘racism’”.

Numerous guides to “locking down” profile information to avoid it being exposed to Graph Search. But it is likely that many – if not most – Facebook users won’t get around to locking down their account.

Simon said he intended his creation more as a tool for penetration testers than as a warning about the privacy risks of Graph Search. Working back from disparate pieces of information like an e-mail or phone number to create a user profile is one of his favorite activities as a pen tester, he said. “I kind of hope (the phone number search) doesn’t go away,” he said.

Still, his post suggests that the tool may become a powerful tool in the hands of social engineers, private detectives and others who want to tap Facebook’s billion-strong user base for information.

Comments are closed.