A tipster pointed out to us that Facebook integration in iOS 6 could fill in details someone might not otherwise have if they get a hold of a phone number and put it into their Contacts app.Daniel Ioffe noticed that should a number in Contacts correspond to a Facebook profile, it’ll populate that entry with a profile photo and Facebook user name, even if all of the above information is kept private by the user.
That may not sound like that big of a deal. After all, it’s generally pretty safe to assume that if someone has your phone number, they know your name, and may have a good idea of what you look like. Also, Apple tells users that it’s temporarily providing phone numbers to make a match in the Facebook section of Settings on iOS devices, as you can see below.
Here’s the thing: it works even when you don’t have any information about a contact beyond their phone number. I confirmed this by entering some random numbers. On my second try, I found one that populated with a full name and picture, even though the individual’s profile was hidden on Facebook. I called the number and it did indeed go to that person’s voicemail. Likewise, when I tried it with the numbers of two colleagues (who I am not friends with on Facebook), without using their correct names and only their numbers, I got their full names and current profile photos in my Contact entries for them. I also tried it with a number of other numbers I knew were on Facebook, but who weren’t friends of mine and who didn’t make their info public, and again, I got full names and photos back.
From the guy who discovered it:
Guys the whole point is if there are 2 platforms that both have privacy rules, then when they come together to collaborate they must use the highest standard of privacy amongst both to maintain said relationship and individual system integrity. Having someone’s phone number certainly doesn’t mean your friends. And if on Facebook you have any info that you choose to hide from everyone or just the public than no one should be able to access it or associate with said information with an outside system. That is a security and a privacy breach. I found the bug and tested it. Everyone I revealed it to when we tested was upset haha.