Jinwoo Kim, Kuyju Kim, Junsung Cho, Hyoungshick Kim and Sebastian Schrittwieser. Hello, Facebook! Here is the stalkers’ paradise!: Design and analysis of enumeration attack using phone numbers on Facebook. 13th International Conference on Information Security Practice and Experience (ISPEC 2017)

Abstract:
We introduce a new privacy issue on Facebook. We were motivated by the Facebook’s search option, which exposes a user profile with his or her phone number. Based on this search option, we developed a method to automatically collect Facebook users’ personal data (e.g., phone number, location and birthday) by enumerating the possibly almost entire phone number range for the target area. To show the feasibility, we launched attacks for targeting the users who live in two specific regions (United States and South Korea) by mimicking real users’ search activities with three sybil accounts. Despite Facebook’s best efforts to stop such attempts from crawling users’ data with several security practices, 214,705 phone numbers were successfully tested and 25,518 actual users’ personal data were obtained within 15 days in California, United States; 215,679 phone numbers were also tested and 56,564 actual users’ personal data were obtained in South Korea. To prevent such attacks, we recommend several practical defense mechanisms.