Feeds

Facebook bug spills name and pic for all 500 million users

Just add email address

Beginner's guide to SSL certificates

Updated A bug in Facebook's login system allows attackers to match unknown email addresses with users' first and last names, even when they've configured their accounts to make that information private.

The information leak can be exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person behind an anonymous email message. If the address belongs to any one of the 500 million active users on Facebook, the social-networking site will return the full name and picture associated with the account.

"Facebook users have no control over this, as this works even when you have set all privacy settings properly," Atul Agarwal of Secfence Technologies wrote Wednesday on the Full-disclosure security listserve. "Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies."

Exploiting the vulnerability is as easy as entering the email address into the Facebook sign-on page, typing a random password and hitting enter. To streamline the attack, Agarwal has written a PHP script that works with large lists of email addresses.

Over the past few years, Facebook has come under criticism for revealing too much information about its users. The data — which can include users' birthdays, home towns and personal friends — can then be used by marketers, stalkers, and other ne'er-do-wells to invade the users' privacy. The social-networking site has responded by giving users more control over who gets to see select pieces of user information.

Evidently, the name-to–email address extraction bug has been overlooked. We wouldn't be surprised to see this fixed in short order. ®

Update

Indeed, at 8 pm Wednesday California time, about 10 hours after this article was published, the exploit no longer worked.

Remote control for virtualized desktops

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.