Facebook bug coughs up user names and photos to anyone who asks

A security bug in Facebook's log on page allows anyone to see your name and photo, regardless of your privacy settings.

By  

Sometimes Facebook screws the pooch on privacy on purpose to better monetize the data from its 500 million users. Sometimes it happens accidentally. This week we saw one of the latter.

Atul Agarwal, a researcher on the Full Disclosure security mailing list, discovered an interesting bug in Facebook’s log-on process that gave him access to information he shouldn’t have.

Atul learned that you can extract the names and photos of Facebook users by plugging an email address and any random password into Facebook’s log on screen. When you enter the wrong password, Facebook helps you out by coughing up the name of the user associated with that email address, along with the photo.

[ See also: Whom do you fear: Apple, Google, Microsoft, or God? ]

facebook log on bug

That isn’t the way Facebook is supposed to work. Per a Facebook spokesmodel (as quoted by PC World):

"We have technical systems in place to prevent people's names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended," a company spokeswoman said in an e-mail message. "We are already working on a fix and expect to remedy the situation shortly."

It gets worse. Another security wonk on the list, Kevin Connelly, discovered that you don’t even need to enter a correct email address to make this “feature” work. Enter an email address that’s off by one or two letters, and Facebook will correct it for you.

Is this a world ending bug? No. At best, it might help spammer/scammers verify Facebook identities as part of a larger targeted scam – the kind of very specific, spear fishing attack we’ve begun to see more of on this social network and others. Agarwal notes two possible uses:

“1) Someone has a list of email address that he has no clue about. He can feed them to Facebook one by one (or in a list) and chances are that he'll get more than 50% hits. Useful for phishing attacks (People will get more convinced when they see their *real* names).

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness