Facebook has another privacy issue in its hands. A security researcher shared a video with Vice, Ars Technica and others, showing how a tool can match email addresses to Facebook profiles in bulk, even if users choose to keep their email information hidden from the public. According to the original source, they reported the front-end vulnerability the tool exploits to Facebook, but they were apparently told the company would not take action against it.
In a statement sent to publications, the social network said it “was closing in error [the] bug bounty report [for the vulnerability] before routing to the appropriate team. “It is now a question of” taking the initial steps to alleviate this problem. “
Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock, tweeted about the tool with a copy of the video. Technologist Ashkan Soltani also tweeted a transcript of the original video, in which the source explained how she was able to use the tool to match 5 million addresses to Facebook accounts in one day. They also said the tool is available in hacking groups and bad actors are using it to target page and ad account owners with email access attacks in an attempt to gain control of their pages and their accounts for monetary gain.
Facebook did not say what it had already done to prevent the tool from exploiting the vulnerability. Hopefully he has taken the necessary steps to fix the flaw, as the source said there is a large-scale campaign to build a massive database for malicious purposes. The database, if completed, will be populated with the email data collected using this tool and the personal data of the 533 million Facebook members who were affected by a breach revealed last month.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through any of these links, we may earn an affiliate commission.
