Sometimes Facebook screws the pooch on privacy on purpose to better monetize the data from its 500 million users. Sometimes it happens accidentally. This week we saw one of the latter.
Atul Agarwal, a researcher on the Full Disclosure security mailing list, discovered an interesting bug in Facebook’s log-on process that gave him access to information he shouldn’t have.
Atul learned that you can extract the names and photos of Facebook users by plugging an email address and any random password into Facebook’s log on screen. When you enter the wrong password, Facebook helps you out by coughing up the name of the user associated with that email address, along with the photo.
[ See also: Whom do you fear: Apple, Google, Microsoft, or God? ]
That isn’t the way Facebook is supposed to work. Per a Facebook spokesmodel (as quoted by PC World):
"We have technical systems in place to prevent people's names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended," a company spokeswoman said in an e-mail message. "We are already working on a fix and expect to remedy the situation shortly."
It gets worse. Another security wonk on the list, Kevin Connelly, discovered that you don’t even need to enter a correct email address to make this “feature” work. Enter an email address that’s off by one or two letters, and Facebook will correct it for you.
Is this a world ending bug? No. At best, it might help spammer/scammers verify Facebook identities as part of a larger targeted scam – the kind of very specific, spear fishing attack we’ve begun to see more of on this social network and others. Agarwal notes two possible uses:
“1) Someone has a list of email address that he has no clue about. He can feed them to Facebook one by one (or in a list) and chances are that he'll get more than 50% hits. Useful for phishing attacks (People will get more convinced when they see their *real* names).
2) One can generate random email addresses, and *verify* their existence. Hint: You can generate emails using (common names + a corporate domain), and check them against Facebook.”
Still, data is a tricky thing. It can be used in all kinds of unintended ways. That’s why you have to be careful who you share it with, and why companies like Facebook have a special responsibility to keep it safe and prevent bugs like this from happening. There are companies worse than Facebook at this, but there are also better ones.