Facebook is the biggest social network out there and such a claim has huge implications. After Suriya Prakash first notified Facebook about his exploit Facebook denied his actions could really pose a threat to any Facebook member. Prakash then decided to make a script to prove his concept on a large scale. He began collecting user data such as (name, photo, phone number) pairs from random existing phone numbers that were registered in Facebook. He then made this list public while censoring some of the digits from each valid phone number.
Facebook explains that it is not possible for someone to extract the phone numbers of its 600 million mobile users because of certain limitations that are set in place. Facebook reportedly does not allow too many queries for phone number->user lookups. Suriya Prakash argues that by default most people allow other people to find them by their phone numbers and that no limitations were set in place while he collected Facebook user details. After he made his list public Prakash admits his tool was throttled.
A Facebook spokesman declared: “Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks.”
