Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Facebook Bug

A New Facebook Bug Exposes Millions of Email Addresses (wired.com) 15

Still smarting from last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a massive scale, links Facebook accounts with their associated email addresses, even when users choose settings to keep them from being public. Wired reports: A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher -- who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed -- fed the tool a list of 65,000 email addresses and watched what happened next. "As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts."

The researcher [...] said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that "they [Facebook] do not consider to be important enough to be patched." Earlier this year, Facebook had a similar vulnerability that was ultimately fixed. "This is essentially the exact same vulnerability," the researcher says. "And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it."

In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video.

This discussion has been archived. No new comments can be posted.

A New Facebook Bug Exposes Millions of Email Addresses

Comments Filter:
  • by account_deleted ( 4530225 ) on Thursday April 22, 2021 @07:12PM (#61302806)
    Comment removed based on user account deletion
  • When I was young, virtually everyone's phone number and address was available in the white pages. If you didn't have the white pages for where they were, you could just get the operator to look it up for you. A very, very few people had their numbers unlisted for personal reasons of some sort. I think you had to pay for that. I don't recall anyone complaining about it.

    Why would anyone care about their email addresses or phone numbers being publicly available? If it is because people might use them to make s

    • Oh yeah, people complained about that. They put your street address in there too. Basically anybody who wanted to find you, including ex-spouses and anybody else you'd rather not deal with, could find you, unless you paid up.

      That was back in the reign of terror of the local telecom monopolies. After people started moving to cell phones, they didn't really have a monopoly anymore.

    • Because a number of companies have done the stupid, lazy thing of tying you to your phone number / e-mail address.

      It used to be that you had to get someone's name, birthday, social security number, and home address to do damage.

      Now you just have to get someone's phone number and e-mail and do a sim swap in order to take over their online accounts by forcing an e-mail password reset using SMS as the second factor (again, laziness - SMS has been depreciated by NIST since 2016 - see https://www.schneier.com/bl [schneier.com]

  • For the post office, the CBP service, and/or the Russians?

  • We have never seen a database that aggregates as much personal information as what Facebook holds. With the leak for phone numbers for 500M+ users, plus all the email vulnerabilities, open access to city and location information in search... the entire environment is ripe for phishing and social engineering. Governments are incredibly slow to react, but I am also surprised that class action lawsuits are not popping up left and right.
  • If you're on Facebook you don't give a shit about your personal info.

  • You know the risks of using their service. This is just another in a series of stories like this.
    They will maybe get a minor slap on the wrist, and the stock might lose a few cents of value for a moment or two.
    Nothing will change. Business as always.
  • This is why you use one email per "service."

    I don't have facetwat anyway, but I do make it policy to have unique emails (and passwords) for each service/merchant. That way, if I start getting spam addressed to that specific address... I know who sold me out. They'll never see me again.

    But to the 99% of sheep out there who use the same email (and passwords) everywhere they go... "Well, Shane.. they knew what they were getting into when they bought their ticket.. I say.. let 'em crash!" *turns and stares g

Successful and fortunate crime is called virtue. - Seneca

Working...