There's no easy way to look up someone's mobile-phone number. White pages? Nope. Directory assistance? Uh-uh.
It's something that drives telemarketers and pollsters crazy, as there are millions of people, especially young ones, who don't have any landlines and can't easily be reached by strangers.
But it turns out Facebook has been openly listing mobile numbers all along, as Indian security researcher Suriya Prakash discovered recently.
Needless to say, he wasn't happy about it.
"I would consider my most 'personal' data saved on Facebook to be my mobile number as it is somewhat of a bridge interlinking both my personal and online life," Prakash explained in a blog posting this past Thursday. "I would not like people I don't want getting a hold of it."
Prakash had earlier told Facebook about his discovery, but the company told him there were no security issues involved as the rate of queries from a particular source would be limited as a guard against automated attacks.
Prakash found that that was true for the desktop version of Facebook, but not the mobile one.
Try it yourself
To use Prakash's method, log into Facebook on a desktop browser, copy this URL and paste it into the address bar: http://m.facebook.com/search/?query=123456789
Then substitute a Facebook friend's mobile number for the number string and hit "Enter." (Be sure to include the country code prefix — "1" for the U.S. and Canada, "44" for Britain, "33" France and so on.)
If your Facebook friend has listed his mobile number on Facebook, or if he's got a Facebook app on his smartphone, it'll show right up. In many cases, it works for "friends of friends" and for total strangers.
Why? As Prakash found, the default Facebook privacy setting for "Who can look you up using the email address or phone number you provided?" is "Everyone."
(To see it yourself, click on the downward facing arrow next to the "Home" button in the upper-right corner of your Facebook page, then click "Edit Settings" next to "How You Connect.")
Contacted by TechNewsDaily, a Facebook representative said this was a feature, not a flaw.
"The ability to search for a person by phone number is intentional behavior and not a bug in Facebook," the representative wrote in an email.
"By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page.
"Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks."
Gold mine of information
Until yesterday (Oct. 8), a savvy telemarketer could have created a computer script generating possible mobile-phone numbers, then harvested whatever real names were matched to them through Facebook.
To prove it, Prakash did exactly that, running through thousands of possible mobile numbers in India and in New York City. (Unlike the rest of North America, New York an area code dedicated to mobile numbers.)
You can see a small subset — 850 names — of Prakash's results here. If you've got a New York mobile number in the format (917) 5x2-xxxx, you may even be on it.
Another researcher, Tyler Borland, wrote an even faster script that looked up 10 numbers at once.
"I was able to verify data for 1 phone number every second," Borland told Computerworld.
With a botnet of 100,000 hijacked computers, Prakash estimated, the entire Facebook mobile-phone-listing database could have been harvested in a few days.
Facebook tweaked its settings to limit the number of responses it would give to a specific IP address. But the method still works manually.
TechNewsDaily was able to find the mobile numbers of four strangers, all of whom had presumably not tweaked their default privacy settings, by slowly running through a list of 20 possible New York numbers.
Stumbling into it
Prakash discovered this Facebook feature after he noticed that his smartphone Facebook app suggested adding friends from his phone's contact list, based on his contacts' mobile-phone numbers.
In fact, he could see his contacts' profile photos and link to their Facebook profiles, even without having "friended" them on Facebook.
"What it does is that it compares the contact list from your phone to the FB database to see if you have any friends that are in your contacts but not on your Facebook account," he wrote. "I also later figured out that simply 'searching' a person's phone number (including country code) will show you their account."