[HN Gopher] Facebook has a hidden tool to delete your phone numb... ___________________________________________________________________ Facebook has a hidden tool to delete your phone number, email Author : elorant Score : 80 points Date : 2022-11-01 20:25 UTC (2 hours ago) (HTM) web link (www.businessinsider.com) (TXT) w3m dump (www.businessinsider.com) | tony-allan wrote: | This is a service to ONLY delete your phone number uploaded from | someone else's address book. I expect that they have hundreds of | other sources of your private data so they don't really care iof | you delete this copy. | | Read the text carefully - | https://www.facebook.com/contacts/removal | | You are just adding another signal to their data about your | attitudes and beliefs that is valuable to advertisers. | neves wrote: | It looks like a scam. I never confirmed my number, but they need | to send a sms to it so they can confirm it. | nikeee wrote: | This instantly reminded me of this: | https://i.imgur.com/nAoc3cO.jpeg | jaredsohn wrote: | Nice thing about this is how easy it is to implement. But if | it ever says 'no' then there is a bug. | autoexec wrote: | > "You can ask us to confirm whether we have your phone number or | email address," the firm states. "If we do, you can request that | we delete it from our address book database. To prevent it from | being uploaded to this database again through someone's address | book, we need to keep a copy in our block list." | | I wouldn't doubt if they remove your information from their | "address book database" and add it to one or more others where | they keep it forever. There's zero oversight, and zero | accountability. It makes no sense at all to just assume that | facebook will do anything they aren't forced to when not doing | that thing could make them money. Facebook doesn't care about | you, your privacy, or even the law. Facebook cares only about | facebook. | ritzaco wrote: | Of course, it's not a technical problem. They could keep a hash | instead of a copy. But I'm sure people who find the 'hidden | tool' and request to have their information removed are | interested in specific products, so a list of these people is | very valuable to train machine learning models on.. | m463 wrote: | I wonder what happens if someone blocks their phone number, | then switches it. | | Will the re-used number be blacklisted forever with a hash | scheme? | kadoban wrote: | Hashes of phone numbers is unfortunately not actually useful | in almost any circumstance. You can trivially reverse them by | iterating through every phone number and computing the hash. | | Hashes of emails is not quite as useless, but not far off | (consider 90+% of emails are at like ~3 domains, and also | that lists of vaguely ~valid email addresses aren't hard to | get). | qxmat wrote: | Slow hash function + salt would solve this.. e.g. you'd be | lucky to do more than 10 hashes a minute with bcrypt and 20 | salt rounds. | kadoban wrote: | You can try that, but it's really difficult to tune so | it's useful. The amount of time the server has to waste | computing hashes is too close to the amount of time an | attacker has to waste to break at least some of them. | | It's just not hard enough to guess a potentially valid | phone number. With passwords, hashing only helps because | the probability of a valid password is _very_ low, and | because you don't need to look up a password, only check | if it's the right one for joeblow (so you can salt them | individually). | m4jor wrote: | Yeah but with hashcat supporting cracking with multiple | GPUs, even bcrypts can be cracked quickly now. There are | also a ton of cloud cracking services like GPUHash.me and | entire cracking forums where ppl crowdsource and help out | like HashKiller. | addingadimensio wrote: | Hash and salt | galeaspablo wrote: | How could I match an incoming unhashed value to an | existing salted hash? | m4jor wrote: | hashcat | ohbtvz wrote: | There are only about 3 billion valid US phone numbers. | How many hashes can your GPU compute per second? | m4jor wrote: | Most people crack with multiple GPUs. For example, I have | a 5 GPU (3080s) rig that I used for mining ETH but now | can use to crack with hashcat. tl;dr crack fast af boiii. | kadoban wrote: | If you salt, then either you can't lookup a number, or | you've only changed the problem to: iterate over all the | possible phone numbers, _add the salt_ and hash them. No | big difference. | gerdesj wrote: | "You can trivially reverse them by iterating through every | phone number and computing the hash." | | Well yes and no. What exactly is your understanding of a | phone number 8) | | Not everyone is blessed with the NANP. I'm a Brit and we | have an eye wateringly complicated nonsense of a numbering | plan and our's isn't the worst. | | What do you hash? Perhaps the standardised international | representation or one of them (no that is not a joke - | telephony is weird). For a laugh you could try one of the | many colloquialisms. For example a UK number might be | 00441395112233 or 441395112233 or +44 (0)1395 112233 - the | final part might be displayed as 112 233 or 112-233. | Imagine if the database works by operating on all numbers | in locally correct colloquial mode and hashes that! | | Now let's really get silly: There are hashes that are nasty | to compute but easy to check and vv. We'll use whatever is | indicated. | | Anyway this is all a very well researched problem, there is | no need for silly games: passwords. | groffee wrote: | So normalise the data first? Your comment literally makes | no sense at all. | kadoban wrote: | Phone numbers get complicated, yeah, but US numbers are | pretty trivial (and so are they in several other places, | and even for UK it's just more annoying, not really | computationally harder). | | So at _best_ the security analysis is: "okay, all US | phone numbers and a bunch from other places might as well | be in cleartext", which is already broken enough that | it's basically useless. | popcalc wrote: | This is the same reason hashing a SSN is purely security | through obscurity. Anyone with a couple GB of space to | spare for a text file can easily perform a reverse lookup. | | https://gist.github.com/stouset/4322307 | krono wrote: | Not too dissimilar from Google Analytics official global opt- | out browser extension. It injects a consistent/unchanging item | into the global window scope of every single page you visit. | | https://tools.google.com/dlpage/gaoptout/index.html | | License prohibits sharing its code so I won't - setting a good | example for our artificially intelligent friends :) | cyberphobe wrote: | I'm sure are artificially intelligent friends give precisely | zero fucks what you do and will steal your shit with | impunity. If you do crime on a large enough scale, it's | called innovation. | nipponese wrote: | It's not a secret. You can google any product name plus "CCPA" | and you'll get an email address for a legally binding request to | delete data. | encryptluks2 wrote: | Providers have gotten creative now requiring you provide an | identity proving you live in California and an ominous warning | suggesting that it is a felony to state you live somewhere you | do not. | m463 wrote: | I've read the CCPA sections of privacy policies, and it's | (designed to be?) completely unclear what and how to request | stuff. There is probably a lot they can be required to do they | don't tell you. | | I'd love to see a website that details what you can do, and | step-by-step how to do it. | barbazoo wrote: | For some reason https://www.facebook.com/legal/policy/ccpa | doesn't open for me. Is this only for California residents? | carbocation wrote: | It opens for me in California, so I can't refute your | hypothesis. | notRobot wrote: | Not in California, doesn't open for me. | daledavies wrote: | Seems broken anyway. I requested it look for my phone number but | never received a confirmation code. | sys_64738 wrote: | Delete from FB.id where email in FB.email or phone == FB.phone; | commit; | lagrange77 wrote: | To answer your question: | | Why would they, if they didn't have to? | [deleted] ___________________________________________________________________ (page generated 2022-11-01 23:00 UTC)