Research leads to an interesting flaw on Facebook

Update:

Facebook has patched this flaw. According to Facebook's Simon Axten, the patch was pushed the same week this article was published. We asked Simon what it was Facebook fixed, and if they could explain the emails.

"They were emails to which the user had previously sent an invitation to join the site. The fix that we pushed last week prevents email addresses belonging to people who have been invited to Facebook, but haven't yet joined, from auto-populating in the message composer," he said.

We asked the researcher who discovered the flaw, Antonio Sanso, if he was confident in the fix. To date, while his confidece isn't all that high, as he has been unable to replicate his original work, so the fix is holding.

Original Article:

Earlier this morning a researcher we will call Antonio sent The Tech Herald a puzzling email. He said he had discovered a kind of vulnerability on Facebook. As it turns out, what he discovered is a rather unique information disclosure flaw.

The information being disclosed by Antonio’s discovery is email addresses by the thousands. They’re exposed by a flaw that centers on the inbox URL used by Facebook. While targeting a specific user ID number, it is possible to manipulate the inbox URL to display email addresses in clear text. Not all user ID numbers will work, but with some trial and error, as was the case when Antonio started his research, you can pull several email addresses in a short amount of time.

This is a Spammer’s dream based on the sample list of confirmed IDs that came with the disclosure sent by Antonio. When he gave us a look at the technique, the first example worked instantly. Using a test account, we were able to confirm his discovery and view dozens of email addresses using the list, but we’ve not made it through the entire batch of more than 4,000 IDs.

Now, let’s look at the unique part of his discovery. The email addresses disclosed by the manipulation trick are not associated with a Facebook account. There could be a few reasons for this, but there’s no clear explanation, as Facebook isn’t talking.

One possible explanation is that the email addresses are in the Facebook system because they were added to someone’s block list. Facebook’s privacy settings allow you to enter a user’s email address into your block list, so that they are prevented from viewing your profile. If the email being blocked isn’t presently associated with a Facebook account, it is stored. Later, if the email is used, the block will go into effect automatically.

Another possible reason is that the addresses disclosed are contacts added to accounts when a user utilizes the “Find People You Email” function. With this option, you can import your address book, and use your email contacts as a starting point to add friends. 

Either way, the fact that the email addresses discovered were not associated with a Facebook account was confirmed by Facebook themselves in January, when Antonio reported his findings to the social networking portal.

In the email conversation forwarded to The Tech Herald, Facebook acknowledged that they investigated his report, but added that an email address will only appear as Antonio described if the ID used is not associated with a Facebook user.

“Please rest assured that we have security precautions in place that would prevent someone from attempting to use the message system to gather email addresses in this manner,” added the response.

When asked why the email addresses were still being displayed if the owner was not a Facebook user, the only response given was that, “…we cannot release any information regarding another user or email address that we may have in our system.”

With regard to the security mentioned, when we tested Antonio’s discovery, we encountered CAPTCHA-based security. We’re hoping there’s more security in place that we didn’t notice. We were easily able to confirm entirely too many addresses in a short amount of time for simple CAPTCHAs to have caused us any real problems.

CAPTACHA-based security has been proven weak in the past, and considering the discovery last week by AVG’s Roger Thompson, where evidence suggested that criminals have discovered a way to automate the creation of Facebook accounts, this layer of protection may have already been broken.

When talking about the seemingly auto-created Facebook accounts, Thompson mentioned that one possible way for the criminals to pull such a feat off was by cracking the CAPCHA used on the site. As things stand, Facebook is still looking into how the accounts were created.

We’ve emailed Facebook to ask about the security measures in place to prevent email harvesting, and to ask once again if they would explain why this URL manipulation allows email addresses that are apparently not associated with a Facebook account to be visible. If we hear back, we’ll update this article.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.

Cheetah Pictures

Some Cool Cheetah Pictures Cheetahs are found mainly in Africa but also some parts of the Middle East. These sleek animals are the fastest land mammals in the world and can hit 60 mph in about 3 seconds, though they cannot maintain this speed for long. Cheetahs prey mostly on antelopes and smaller mammals but occasionally go for something bigger. We hope you enjoy these photos and don’t forget to check out the other speedy land mammals on our list of the fastest.

Sherlock Holmes Quiz

Sherlock Holmes
Sherlock Holmes was a man who absorbed information like a sponge and had a razor sharp mind. How much do you know about the famous fictional detective from the books?

22 years without Ferruccio Lamborghini

Lamborghini posted this photo today saying: “22 years without Ferruccio Lamborghini.” Ferruccio passed away on February 20th 1993 aged 76. Interestingly he started out making tractors!