asd
HomeBug BountyFacebook Privacy Vulnerability: Bug Hunter Exposes Phone Number of User ID Linkage...

Facebook Privacy Vulnerability: Bug Hunter Exposes Phone Number of User ID Linkage Despite Privacy Settings

Facebook Phone Number Exposed: Bug Hunter Discovers Vulnerability in Facebook’s Privacy Settings

Facebook Phone Number Exposed – On May 6, 2021, bug hunter Youssef Sammouda uncovered a significant vulnerability in Facebook’s privacy settings, potentially allowing attackers to identify Facebook users by their phone numbers, despite privacy settings. This bug enabled attackers to link phone numbers to Facebook accounts and access user IDs.

Sammouda’s discovery revealed that adding a phone number to an attacker’s Facebook account would trigger a response from the m.facebook.com/phoneacquire/ endpoint, exposing the current owner’s information, regardless of privacy settings.

To reproduce the issue, Sammouda followed these steps:

He accessed the attacker account and navigated to . Then, he added a new phone number to look up. This action redirected him to the m.facebook.com/phoneacqwrite/ endpoint, revealing the user ID of the Facebook user associated with the phone number in the attached parameters, specifically the “giver_id” parameter.

This vulnerability posed a significant risk, as it could have been exploited to deanonymize and identify Facebook users linked to specific phone numbers. Fortunately, Sammouda reported the issue to Facebook on March 13, 2021, and the company acknowledged it four days later. Facebook successfully fixed the bug on April 7, 2021, and rewarded Sammouda with a $9000 bounty, including a bonus, on April 26, 2021.
Sammouda’s responsible disclosure and Facebook’s prompt action ensured that this vulnerability was addressed, protecting users’ privacy and maintaining the security of their personal information.

–Meta bug bounty program

 

Link to read full write up: https://ysamm.com/?p=691

Save the PDF here

Christin
Christinhttps://secry.me/explore
A cybersecurity practitioner with more than 5 years of experience in the cybersecurity world. Has an interest in creating simple blog websites, learning about SEO and graphic design, writing, AI, and understanding the concepts of journalism. Intentionally created this website to make the world of cybersecurity more engaging by combining it with journalistic principles and presenting cybersecurity stories that are easy to understand, which can help anyone who wants to develop in the cybersecurity world.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

19 + eight =

Most Popular

GOOGLE ADVERTISEMENT

- Advertisement -