Social networking giant Facebook uses a two-factor authentication process (2FA) for providing additional security to its users which ensures that no other person can access their accounts. Many apps such as Whatsapp, Instagram, Twitter uses this method to make sure that the user’s account is safe from unknown access. But Facebook is using the 2FA authentication for other purposes as well.
According to a report by Tech Crunch, the social platform is letting the phone number used for 2FA of the users to be visible to everyone. Jeremy Burge, an executive from Emojipedia identified this flaw in Facebook first, and according to him, there is no option on Facebook which lets the user hide his/her phone number and anyone could see the phone number given by the user. Burge tweeted that, Facebook’s privacy setting doesn’t have any feature to completely hide phone numbers of the users.
Burge’s tweet read “For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that.”
Facebook lets the users hide their date of birth completely by choosing the ‘only me’ option or they can choose from a variety of options which lets everyone, friends, or friends of friends see the user’s D.O.B. But no such feature is available to hide the phone number of the user from public eyes. The default setting of the phone number is set to ‘everyone’ and there is no ‘only me’, ‘friends’ or ‘friends of friends’ option available for phone number.
Burge also stated that since Instagram is owned by Facebook so it shares the 2FA number which lets the user link their Instagram account with their Facebook account. When linking the accounts, Instagram automatically sends a message to the user to confirm the phone number used on one platform.
As of March 2019 the settings screen on Facebook reads:
Who can look you up using the phone number you provided?
This applies to people who can't see your phone number on your profile.
(+ the default for me, and many others, was "everyone", despite only providing phone for 2FA) pic.twitter.com/b8BU5TtGP9
— Jeremy Burge (@jeremyburge) March 4, 2019
It is not the first time Facebook has been in news for this matter, as last year many users had reported that they were receiving random SMS notifications after they gave their number for the 2FA. The social media platform acknowledged the bug and it was later fixed it. But later it was revealed that Facebook was using the users’ phone number to target ads. In a report by Gizmodo, Facebook was giving the phone numbers of the users to advertisers who used ads targeted towards the user. The company even confirmed that they were using the users’ details “to offer a more personalised experience, including showing more relevant ads.”