Hey all, I'm extremely buffled at Facebook's ability to deduce the phone number I'm using, when I'm accessing their service on Mobile Chrome web browser, running on an Android 4.4.2 device that is connected to the Internet over 3G data. Their access to the current phone number I'm using is apparent as a small text box appeared on their web site (after logging in) asking me if I want to update my phone number to a prepaid phone number I was temporarily using (and over which the 3G data connection was established).
This happened to me on two different occasions, with two different carriers - both of which said that they do not provide any phone number look-up APIs for Facebook or others. The platform on which the described situation happened is an LG Nexus 5, running stock Android 4.4.2 with no Facebook app installed - Facebook was accessed on Google's Mobile Chrome web browser. A few questions are on my mind. Did the phone number leak occur through the use of Mobile Chrome? It would seem too huge a security leak, and I'm skeptical about this. Did the carrier offer Facebook an IP address <-> phone number look up service? When asked, the carriers declined this in a direct manner. Could there be other apps (or their ad libraries) leaking the information to Facebook? Well, I hope not, but here's a list of installed apps (at the time of the leak): com.google.android.ears com.qualcomm.timeservice com.android.defcontainer com.google.android.exchange com.android.providers.partnerbookmarks com.android.contacts com.android.phasebeamorange com.android.phone jp.naver.line.android com.android.calculator2 org.connectbot com.google.android.apps.walletnfcrel com.android.htmlviewer com.melodis.midomiMusicIdentifier.freemium com.android.cellbroadcastreceiver com.google.android.gsf.login com.android.bluetooth com.android.providers.calendar com.ichi2.anki net.juniper.junos.pulse.android com.google.android.email com.android.providers.downloads.ui com.android.documentsui com.android.sharedstoragebackup com.android.vpndialogs com.android.providers.media com.google.android.marvin.talkback jp.co.omronsoft.iwnnime.ml.kbd.white com.android.certinstaller com.google.android.deskclock com.google.android.gms com.google.android.setupwizard com.android.settings com.redbend.vdmc com.devuni.flashlight com.dropbox.android jackpal.androidterm com.google.android.street com.google.android.apps.genie.geniewidget com.hp.android.printservice com.google.android.googlequicksearchbox com.pleco.chinesesystem com.google.android.music com.android.wallpaper.livepicker com.google.android.apps.inputmethod.hindi com.android.packageinstaller com.google.android.inputmethod.latin com.google.android.tts com.android.providers.telephony com.google.android.apps.maps com.google.android.apps.cloudprint com.alphonso.pulse com.android.wallpapercropper com.android.location.fused com.android.backupconfirm com.android.providers.settings mobi.mgeek.TunnyBrowser jp.co.omronsoft.iwnnime.ml com.google.android.launcher com.google.android.apps.docs com.qualcomm.qcrilmsgtunnel com.yahoo.mobile.client.android.weather com.android.providers.downloads com.android.browser.provider com.android.musicfx com.google.android.apps.books com.xe.currency com.google.android.videos com.lge.update com.google.android.inputmethod.pinyin com.google.android.gallery3d com.google.android.onetimeinitializer com.google.android.partnersetup org.mozilla.firefox com.android.proxyhandler com.ballerapps.slidingexplorer com.android.inputdevices com.google.android.feedback com.handynorth.moneywise_free com.google.android.talk com.android.nfc com.android.stk com.qualcomm.shutdownlistner com.android.providers.userdictionary com.sonelli.juicessh com.google.android.inputmethod.korean com.google.android.configupdater com.android.pacprocessor com.google.android.dialer com.evernote com.quickoffice.android com.google.android.keep com.android.printspooler android com.android.providers.contacts com.android.externalstorage com.google.android.apps.translate com.android.dreams.basic com.google.android.apps.plus com.android.vending com.google.android.play.games com.android.systemui com.android.keychain com.google.android.gm com.google.android.tag com.google.android.GoogleCamera com.google.android.youtube com.google.android.apps.magazines com.google.earth com.google.android.gsf com.android.keyguard com.google.android.calendar com.android.facelock com.android.chrome finarea.MobileVoip com.android.shell org.sipdroid.sipua com.lge.SprintHiddenMenu com.google.android.syncadapters.contacts com.google.android.backup Thanks for anyone who's interested in figuring this one out. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
