8

I'm not registered with Facebook and I've never logged in to Facebook inside the browser I use, Today I enter the site facebook.com and see my actual phone number on the sign in page with this message:

Facebook requests and receives your phone number from your mobile network

So how does a website, in this case Facebook get the mobile phone number inside the browser?

enter image description here

Ewan
  • 70,664
  • 5
  • 76
  • 161
Kody
  • 115
  • 1
  • 3
  • See also [a similar question on Security.SE](https://security.stackexchange.com/q/97198/7684). It seems, however, that your situation is different (or that Facebook message is wrong and misleading). – Arseni Mourzenko Jan 30 '20 at 18:30
  • you might as well ask how the person you just called got your number, or the person you emailed got your email. Its surprising because people consider their number 'personal data' but no security has been breached or implemented – Ewan Jan 30 '20 at 22:29

3 Answers3

8

Basically your mobile phone company is adding your phone number to HTTP headers when you visit certain sites.

So when you visit www.advertiser.com your request goes to your mobile phone operator, via cell towers, through their network, off to the internet

Obviously the cell tower knows your number, as does your phone operator, they configure their router to add some more headers to your HTTP request (unencrypted) because the owner of advertiser.com pays them to do so.

This extra data is then sent over the internet to www.advertiser.com who can simply parse it out of the headers and put it back in the <input> tag in the response.

facebook are being quite open about this here. But they will also get the phone number, along with the website url of every site you visit with a like button somewhere on it. Which they then store on a big database in china

http://www1.icsi.berkeley.edu/~narseo/papers/hotm42-vallinarodriguez.pdf

Ewan
  • 70,664
  • 5
  • 76
  • 161
  • 2
    Lovely ........ – Robert Harvey Jan 29 '20 at 15:47
  • FB in particular does not store any corporate data in China due to Chinese laws around search and seizure. – Telastyn Jan 29 '20 at 18:27
  • *knowingly store – Ewan Jan 29 '20 at 18:37
  • 3
    Of course, if the data is stored in the USA, it's subject to US laws on search and seizure. This is scarcely any more comforting for anyone outside the USA. – Simon B Jan 30 '20 at 11:55
  • @SimonB: Or anyone *inside* the USA as well. – Greg Burghardt Jan 30 '20 at 12:31
  • @GregBurghardt you have been flagged for enhanced visa checks. It interesting, i often wonder if there is a point where people stop using the internet – Ewan Jan 30 '20 at 12:48
  • 7
    Since Facebook is all HTTPS (including the page on the screenshot), how would the mobile phone operator be able to tamper with any data, including the headers? Imagining that the mobile phone operator installed it's own certificate on the phones it sells in order to be able to decrypt all the traffic would sound particularly creepy and is likely to be illegal in both United States and EU. – Arseni Mourzenko Jan 30 '20 at 13:39
  • 1
    well, theres TLS interception, or the site paying the operator to add the data can just give it a copy of the cert for the site. it doesnt need to be on the phone. Or the site could include a http tracking link, or you can do some clever stuff with the key exchange itsself – Ewan Jan 30 '20 at 13:54
  • 3
    If Facebook has a deal with mobile operators, presumably the operators could just tell Facebook their IP-ranges. Then, whenever Facebook wants to know a user's number, Facebook could just ping the provider to say, "_Hey, I got a packet from such-and-such an IP address that's in your claimed range, what's their number?_". – Nat Jan 30 '20 at 14:29
  • @Ewan: it sounds way too much far-fetched, as well as, once more, plainly illegal. Do you have any reference that this is what is happening (books about big brother watching us don't count)? – Arseni Mourzenko Jan 30 '20 at 18:19
  • ..there is the link to the paper? also google facebook http enrichment careers and there are dozens of jobs – Ewan Jan 30 '20 at 19:27
  • its a widely used technology and not illegal – Ewan Jan 30 '20 at 19:27
  • " Facebook requests and receives your phone number from your mobile network." The strange word here is "request", so it's not jut "scraping" from HTTP headers. If I connect from an other operator from an other country, facebook cannot get my number. So seems that this operator really provide only to Facebool and others with which have agreements. – Kody Jan 30 '20 at 22:28
  • But the research paper says only 13% of 299 operators use this method of identification. – Kody Jan 30 '20 at 22:34
  • they also say they cant see ones which are added only to specific sites. Of course its difficult to say this is the exact method used in this case. But FB does advertise of HTTP enrichement engineers and this method is used for fast login in turkey i believe – Ewan Jan 30 '20 at 22:39
  • the "request" in the case is requesting the operator do the header enrichment – Ewan Jan 30 '20 at 22:41
  • can I ask what operator in which country you experienced this? – Ewan Jan 30 '20 at 22:42
  • There is a way to verify if a method of identification is used on HTTP headers? The operator is TIM, country Brazil. – Kody Jan 31 '20 at 14:45
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/103952/discussion-between-kodis-and-ewan). – Kody Jan 31 '20 at 22:10
1

Given fields are remembered by browser, so for example if I enter some store (online), and they use the same field keys as other stores a lot of input will be filled automatically (by browser).

If it is the source of your phone number, I would check the browser settings to exclude remembering digits. If not, it might happen you enter some pin-code or something, on another site there will be the same field key, but hidden so you even don't know when the browser will do auto-completion for you and send sensitive data.

greenoldman
  • 1,506
  • 1
  • 14
  • 27
1

Facebook requests and receives your phone number from your mobile network.

Without confirming, that sounds literal to me. This is, it sounds like Facebook literally just asks your mobile network provider to tell them your number.

I'd imagine it works like this:

  1. Some Facebook page wants your mobile number.

  2. Facebook checks what provider's IP address range your IP address is in to determine your provider.

  3. Facebook sends a request to your provider to the effect of:

    Hey, we got traffic from a user at 123.123.123.123, which is an IP address within your service's range. What's their number?

  4. Then, I guess, your mobile internet provider may choose to respond to Facebook's request.

It's probably an automated service that they've got set up. Such a service would seem pretty easy to implement and run on a technical level; the major hurdles would seem to be legal/political.

From Facebook:

We may suggest a mobile number for you based on information we receive from sources such as:

  • Your mobile phone or tablet.

  • Contact info provided by others on Facebook.

  • A mobile number that you entered previously but didn't confirm.

Facebook

So as Facebook describes it, they may try to pull phone numbers from multiple sources.

Community
  • 1
Nat
  • 1,063
  • 1
  • 8
  • 11
  • This is interesting and if true it's outrageous. – Kody Jan 30 '20 at 22:42
  • @Kodis You might be able to get more information if you call your mobile internet provider's technical support to ask them if they are, in fact, providing Facebook with your information. Does seem a lil strange if consumers are opted-in by default; but, if they have gone that far, ideally they'd at least allow opting-out. – Nat Jan 31 '20 at 03:23
  • 1
    @Kodis The interesting thing about this is that, if it's true, it'd seem to break a pattern about paid services having stronger privacy policies. I mean, usually it's not so surprising when free services sell users' information as their business model. But seems like mobile internet providers tend to charge a good bit for their services, and if they anger their customers, then their customers might switch to another provider, making something like this seem less obvious. – Nat Jan 31 '20 at 03:27