Facebook Bug Reveals Names And Photos For All 500 Million Users

August 11th, 2010

Facebook Bug Reveals Names And Photos For All 500 Million Users

A bug in Facebook’s login system allows attackers to match unknown email addresses with users’ first and last names, even when they’ve configured their accounts to make that information private.

The information leak can be exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person behind an anonymous email message. If the address belongs to any one of the 500 million active users on Facebook, the social-networking site will return the full name and picture associated with the account.

“Facebook users have no control over this, as this works even when you have set all privacy settings properly,” Atul Agarwal of Secfence Technologies wrote Wednesday on the Full-disclosure security listserve. “Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.”

Exploiting the vulnerability is as easy as entering the email address into the Facebook sign-on page, typing a random password and hitting enter. To streamline the attack, Agarwal has written a PHP script that works with large lists of email addresses.

Over the past few years, Facebook has come under criticism for revealing too much information about its users. The data — which can include users’ birthdays, home towns and personal friends — can then be used by marketers, stalkers, and other ne’er-do-wells to invade the users’ privacy. The social-networking site has responded by giving users more control over who gets to see select pieces of user information.

Evidently, the name-to–email address extraction bug has been overlooked. We wouldn’t be surprised to see this fixed in short order.

Credit: The Register

Share this item with others:

More on CyberInsecure:

Facebook Album Privacy Exploit

Facebook Bug Allowed Chats To Be Eavesdropped

Another Vulnerability Leaks Private Data On Facebook

Facebook, MySpace Backdoor Exposed User Accounts

Top-Ranked Facebook Applications Transmit Personal IDs, Personal Information To Ad Firms

Posted in Breaches And Incidents, Privacy, Social Networks |

Print This Post

This entry was posted on Wednesday, August 11th, 2010 at 6:38 pm and is filed under Breaches And Incidents, Privacy, Social Networks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Facebook Bug Reveals Names And Photos For All 500 Million Users”

rolodexter Says:
August 15th, 2010 at 7:11 am

What’s troubling about this story are the comments that users have posted. There is a problem here, and it has to do with the fact that everybody’s face is on the web, and when you have a username that’s listed in a URL, you’re able to physically identify people. And that’s all you need to get the ball rolling on surveillance. If you wanted a conspiracy theory, you can wonder all day about how it is the United States government got 10% of the world to contribute to its CIA database of personal profiles that isn’t as much about what’s actually listed, but the relationships between what’s listed, what’s publicly available, and what’s kept private. The actual information is almost beside the point; the real gold is in the relationships between the decisions that’s made, the patterns about those decisions that makes for real signatures. Facebook is 500 million users and growing fast. If it’s not the first sole site to hit the 1 billion user mark, it’ll be the next biggest thing, but it’s bound to happen. Is that good or bad? Remember, there is no neutral.

Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

rolodexter Says:
August 15th, 2010 at 7:11 am

What’s troubling about this story are the comments that users have posted. There is a problem here, and it has to do with the fact that everybody’s face is on the web, and when you have a username that’s listed in a URL, you’re able to physically identify people. And that’s all you need to get the ball rolling on surveillance. If you wanted a conspiracy theory, you can wonder all day about how it is the United States government got 10% of the world to contribute to its CIA database of personal profiles that isn’t as much about what’s actually listed, but the relationships between what’s listed, what’s publicly available, and what’s kept private. The actual information is almost beside the point; the real gold is in the relationships between the decisions that’s made, the patterns about those decisions that makes for real signatures. Facebook is 500 million users and growing fast. If it’s not the first sole site to hit the 1 billion user mark, it’ll be the next biggest thing, but it’s bound to happen. Is that good or bad? Remember, there is no neutral.