Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 11th, 2010

Facebook Bug Reveals Names And Photos For All 500 Million Users

A bug in Facebook’s login system allows attackers to match unknown email addresses with users’ first and last names, even when they’ve configured their accounts to make that information private.

The information leak can be exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person behind an anonymous email message. If the address belongs to any one of the 500 million active users on Facebook, the social-networking site will return the full name and picture associated with the account.

“Facebook users have no control over this, as this works even when you have set all privacy settings properly,” Atul Agarwal of Secfence Technologies wrote Wednesday on the Full-disclosure security listserve. “Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.”

Exploiting the vulnerability is as easy as entering the email address into the Facebook sign-on page, typing a random password and hitting enter. To streamline the attack, Agarwal has written a PHP script that works with large lists of email addresses.

Over the past few years, Facebook has come under criticism for revealing too much information about its users. The data — which can include users’ birthdays, home towns and personal friends — can then be used by marketers, stalkers, and other ne’er-do-wells to invade the users’ privacy. The social-networking site has responded by giving users more control over who gets to see select pieces of user information.

Evidently, the name-to–email address extraction bug has been overlooked. We wouldn’t be surprised to see this fixed in short order.

Credit: The Register

Share this item with others:

More on CyberInsecure:
  • Facebook Album Privacy Exploit
  • Facebook Bug Allowed Chats To Be Eavesdropped
  • Another Vulnerability Leaks Private Data On Facebook
  • Facebook, MySpace Backdoor Exposed User Accounts
  • Top-Ranked Facebook Applications Transmit Personal IDs, Personal Information To Ad Firms

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Facebook Bug Reveals Names And Photos For All 500 Million Users

    One Response to “Facebook Bug Reveals Names And Photos For All 500 Million Users”

    1. What’s troubling about this story are the comments that users have posted. There is a problem here, and it has to do with the fact that everybody’s face is on the web, and when you have a username that’s listed in a URL, you’re able to physically identify people. And that’s all you need to get the ball rolling on surveillance. If you wanted a conspiracy theory, you can wonder all day about how it is the United States government got 10% of the world to contribute to its CIA database of personal profiles that isn’t as much about what’s actually listed, but the relationships between what’s listed, what’s publicly available, and what’s kept private. The actual information is almost beside the point; the real gold is in the relationships between the decisions that’s made, the patterns about those decisions that makes for real signatures. Facebook is 500 million users and growing fast. If it’s not the first sole site to hit the 1 billion user mark, it’ll be the next biggest thing, but it’s bound to happen. Is that good or bad? Remember, there is no neutral.

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.