Facebook’s two-factor authentication violates privacy, reveals user profiles through phone numbers

• The added security feature allowed to search anyone present on Facebook by their phone numbers.
• This was applicable to only those users who submitted their phone numbers as an option for two-factor authentication (2FA) on the social networking platform.

Social networking site Facebook is again facing backlash for privacy matters. This time it was discovered to be coming from one of its security features. It appears that the company’s 2FA could be abused to reveal Facebook users.

Jeremy Burge, the creator of Emojipedia, uncovered this issue believed to be lingering in the platform for a long time.

Worth noting

• Burge found out that the security feature was giving out identities of users when searched for their phone number.
• In one of his tweets, he also mentioned that the search feature cannot be disabled currently.
• Whenever users handed their phone numbers for 2FA, Facebook automatically puts up suggestions to connect with them if a person has his/her number.
• Burge explained in a series of tweets how contact numbers were likely availed by Facebook through its other platforms - Whatsapp and Messenger.
• Facebook had earlier removed a separate phone-number search feature in its platform in 2018.
• This was after the company was found using personally identifiable information (PII) such as phone numbers, for its advertising campaigns.

What does Facebook say?

Once the issue came into light, Facebook responded by saying that it was not related to 2FA but rather due to the ‘Who can look me up?’ option.

“Today, the 'Who can look me up?' settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone," told a spokesperson to The Register.

Post the Cambridge Analytica incident in 2018, this is Facebook’s another episode violating user privacy.