Facebook: searching people by phone number

Looking in the privacy settings of my Facebook profile, I discovered the option which indicates who can search you by the phone number you provided. The default setting is everyone.

Probably this option is intended for allowing users to match friends from the phonebook of their phones, but works in the desktop site too, by simply inserting the phone number in the searchbox. It works even if you have set your phone number to be private, it’s a different kind of option.

This is pretty similar to the kind of matching is made in WhatsApp or similar apps to find friends, but is completely different if you think that in those other services you cannot discover additional information like first and last name by providing the phone number, you just use the name you’re providing in your phonebook.

Using this Facebook feature lets you get a lot of information (Facebook’s public profile infos) by only providing the number of the person you’re interested in. That’s interesting.

Of course, to be searched this way, you need to have provided your number in some way to facebook. But this is more and more common, Facebook asks for it in various occasions, such as for the two step verification, and likely by using the mobile messenger app.

With that said, this service can be used to match unknown numbers, which is pretty useful [and a little creepy, if you think you can finally find out whose person number is being written in the toilette].

Interested by this possibility, I tried to brute-force the function to create an phonebook of random people from Facebook. I made a program which randomly tries a lot of numbers waiting for matches in the searchbox.

Actually, it worked pretty good, and I was able to retrieve like ~50 phone numbers and relative facebook profile by searching phone numbers similar to my own.

The program was set to run forever, but after a while Facebook noticed me that I was misusing their services, and asked me to enter a captcha to verify my humanity. 🙂

This method is probably not suitable for retrieving the phone numbers of every facebook user (actually I still think there’s a chance if you have a large number of fake Facebook accounts working simultaneously), but could be used by some spammers to find few random numbers and relative public information (likes, hometown, ecc) to perform some targeted advertising.

My very simple python script is bound to the italian version of Facebook, but is essentially very easy, uses Selenium webdrivers to login in Facebook and then search for numbers in the serachbox, looking for changes in the search suggestions to identify a match.

Since I don’t need people to get my Facebook friendship only because I’m in their phonebook, I changed the option value from everyone to friends.