Always spicy last month dump phone numbers owned by 500 million Facebook users, the social media giant faces a new privacy crisis: a tool that, on a large scale, links Facebook accounts to their associated email addresses, even when users choose settings to prevent them from being public.
A video released on Tuesday showed a researcher demonstrating a tool called Facebook Email Search v1.0, which he said could be related Facebook has up to 5 million email addresses per day. The researcher – who said he went public after Facebook said he didn’t think the weakness he found was “important” enough to be fixed – fed the tool with a list of 65,000 e -mail and watched what happened next.
“As you can see in the output log here, I’m getting a significant amount of results,” the researcher said as the video showed the tool processing the mailing list. “I spent maybe $ 10 to buy about 200 Facebook accounts. And in three minutes I managed to do it for 6,000 [email] accounts.”
Ars obtained the video on condition that the video was not shared. A full audio transcript appears at the end of this article.
In a statement, Facebook said, “It appears that we mistakenly closed this bug bounty report before forwarding it to the appropriate team. We appreciate the researcher sharing the information and taking initial steps to mitigate this. problem while we follow up to better understand their results. “
A Facebook representative did not respond to a question asking whether the company told the researcher that it did not consider the vulnerability significant enough to warrant a remediation. The representative said Facebook engineers believed they mitigated the leak by disabling the technique featured in the video.
The researcher, who Ars agreed not to identify, said Facebook Email Search exploited a front-end vulnerability that it recently reported to Facebook, but that “they [Facebook] does not consider it important enough to be corrected. Earlier this year, Facebook had a similar vulnerability which was eventually fixed.
“It’s basically the same vulnerability,” says the researcher. “And for some reason, although I demonstrated this to Facebook and shared it with them, they told me directly that they would not act against it.”
Facebook has been criticized not only for providing the means for these massive data collections, but also for actively promoting the idea that they present minimal risk to Facebook users. An email the company inadvertently sent to a journalist at the Dutch publication DataNews asked public relations officials to “present this as a major industry problem and standardize that this activity occurs on a regular basis.” Facebook has also made the distinction between scraping and hacks or violations.
It’s not clear if anyone actively exploited this bug to create a massive database, but it certainly wouldn’t be surprising. “I think this is a pretty dangerous vulnerability, and I would like some help to end it,” said the researcher.
Here is the written transcript of the video:
So what I would like to demonstrate here is an active vulnerability within Facebook, which allows malicious users to query email addresses in Facebook and Facebook returns all matching users.
It works with a frontal vulnerability with Facebook, which I pointed out to them, made them realize, uh, that they don’t consider it important enough to be fixed – which I would consider a pretty significant privacy breach and a big problem.
This method is currently used by software available now within the hacker community.
Currently, it’s used to compromise Facebook accounts for the purpose of taking back groups of pages and, uh, Facebook ad accounts for obviously monetary gain. I have implemented this visual example in no JS.
What I did here was took 250 Facebook accounts, newly registered Facebook accounts, which I bought online for around $ 10.
I have polled or I am querying 65,000 e-mail addresses. And as you can see from the output log here, I’m getting a significant amount of results from them.