Facebook Phone Number Exposed: Bug Hunter Discovers Vulnerability in Facebook’s Privacy Settings
Facebook Phone Number Exposed – On May 6, 2021, bug hunter Youssef Sammouda uncovered a significant vulnerability in Facebook’s privacy settings, potentially allowing attackers to identify Facebook users by their phone numbers, despite privacy settings. This bug enabled attackers to link phone numbers to Facebook accounts and access user IDs.
Sammouda’s discovery revealed that adding a phone number to an attacker’s Facebook account would trigger a response from the m.facebook.com/phoneacquire/ endpoint, exposing the current owner’s information, regardless of privacy settings.
To reproduce the issue, Sammouda followed these steps:
He accessed the attacker account and navigated to . Then, he added a new phone number to look up. This action redirected him to the m.facebook.com/phoneacqwrite/ endpoint, revealing the user ID of the Facebook user associated with the phone number in the attached parameters, specifically the “giver_id” parameter.
This vulnerability posed a significant risk, as it could have been exploited to deanonymize and identify Facebook users linked to specific phone numbers. Fortunately, Sammouda reported the issue to Facebook on March 13, 2021, and the company acknowledged it four days later. Facebook successfully fixed the bug on April 7, 2021, and rewarded Sammouda with a $9000 bounty, including a bonus, on April 26, 2021.
Sammouda’s responsible disclosure and Facebook’s prompt action ensured that this vulnerability was addressed, protecting users’ privacy and maintaining the security of their personal information.
Link to read full write up: https://ysamm.com/?p=691
Save the PDF here