Facebook moves quick to stamp out potential Phishing bug
by Steve Ragan - Aug 12 2010, 13:36Facebook appears to have patched a bug that would allow spammers to harvest names and email addresses. While the feature itself was added to the site with good intentions, a bug in its implementation circumvented privacy settings.
The bug, which impacted all 500 million users of the social networking site, allowed someone with less than honest intentions to view the first and last name of a given Facebook user, along with their email address and profile photo.
The feature that could have been exploited is actually somewhat useful to many users. However, according to Facebook, when changes were made to the site recently, a bug was introduced that turned the log-in script inside out.
When you log-in to Facebook, but use an incorrect password, the error page displayed shows your current profile picture and your first and last name. As mentioned, this visual confirmation is handy, but it could have acted as a type of confirmation tool for criminals.
This is because if you entered a given email address, one that wasn’t associated with your account, you could pull the same data from the error page as long as the email address was associated with someone on Facebook.
Atul Agarwal, who posted to the Full Disclosure mailing list yesterday about the problem, explained that one could “generate random email addresses, and verify their existence,” due to the fact that, “this works even when you have set all privacy settings properly.”
The fear was that the bug could be used to propagate Phishing scams, Malware, or both, due to the ability to personalize the malicious content for a given victim.
Agarwal, of Secfence Technologies, included a proof-of-concept script that would allow various tests to collect information. Later research turned up the fact that if an email address was close to one used on an account, but not exact, Facebook would automatically correct the error and return the proper profile.
The good news is that Facebook has acted quickly to resolve the problem, and testing on various Facebook accounts this morning returned a standard error page, with no account information.
There are no reports of this bug being used to harvest data, likely due to the fast fix issued by Facebook.
Comment on this Story