Hacker News new | ask | show | jobs
by davidjohnstone 1901 days ago
> I'd imagine that could be more successful on here, heh.

You're right about that!

If I was to make a HN-friendly version, I'd probably make static JSON files that list all the numbers, indexed by the first four or so digits. When you enter a number, the first digits are sent to the server, and the appropriate JSON file is returned. That list is then searched client-side for the full number and the result displayed. The code should be simple and easy to verify that the full number doesn't leave the client, while maintaining the same simple user interface I already have. Variations of this idea could be more secure (i.e., only enter the start of the number and search for your number yourself in a long list) but less user-friendly.

I don't actually have any plans on implementing this though. I feel satisfied enough with what I have.

(I don't think hashing would work because the address space is too small and reversing is too easy. There aren't any email addresses.)
2 comments
ashkankiani 1901 days ago
Just release a CSV containing just the numbers as a zstd compressed file. We can search it ourselves.
link
mckirk 1901 days ago
True, hashes would be completely trivial to reverse, I didn't think that through :D

And you're right, the only way to build a HN-friendly version would probably be to basically do the checking client-side, since any additional information you send to the server could be directly used to narrow the search space.

I think I read that there are some email addresses in the leak though; wasn't HaveIBeenPwned searching only for those, but not for numbers?

link
davidjohnstone 1901 days ago
Oh, you're right, there are some email addresses, but not many. In the first 10,000 rows of Australian data, there are 62. I could be wrong, but I think the extra data about users (i.e., location, email address, relationship status, workplace) was scraped from Facebook so it only includes it when it was already publicly visible.
link
daniellarusso 1901 days ago
Just brute-force his website’s form with a polite delay between requests and enumerate your own list of numbers!
link
davidjohnstone 1901 days ago
I laughed, then had another idea: Rather than send the server one number to check, generate another 99 random numbers in the client and send them all to the server. The client receives the status of all of them and shows the status of the entered number. The server never knows the actual number, and the phone number address space is saturated enough that many or most of the random numbers are also real numbers.
link
daniellarusso 1901 days ago
That is similar to how I checked, actually.

;)

link
davidjohnstone 1900 days ago
Done.

https://www.thenewseachday.com/private-facebook-phone-number...

link