Facebook has patched this flaw. According to Facebook's Simon Axten, the patch was pushed the same week this article was published. We asked Simon what it was Facebook fixed, and if they could explain the emails.
"They were emails to which the user had previously sent an invitation to join the site. The fix that we pushed last week prevents email addresses belonging to people who have been invited to Facebook, but haven't yet joined, from auto-populating in the message composer," he said.
We asked the researcher who discovered the flaw, Antonio Sanso, if he was confident in the fix. To date, while his confidece isn't all that high, as he has been unable to replicate his original work, so the fix is holding.
Earlier this morning a researcher we will call Antonio sent The Tech Herald a puzzling email. He said he had discovered a kind of vulnerability on Facebook. As it turns out, what he discovered is a rather unique information disclosure flaw.
The information being disclosed by Antonio’s discovery is email addresses by the thousands. They’re exposed by a flaw that centers on the inbox URL used by Facebook. While targeting a specific user ID number, it is possible to manipulate the inbox URL to display email addresses in clear text. Not all user ID numbers will work, but with some trial and error, as was the case when Antonio started his research, you can pull several email addresses in a short amount of time.
This is a Spammer’s dream based on the sample list of confirmed IDs that came with the disclosure sent by Antonio. When he gave us a look at the technique, the first example worked instantly. Using a test account, we were able to confirm his discovery and view dozens of email addresses using the list, but we’ve not made it through the entire batch of more than 4,000 IDs.
Now, let’s look at the unique part of his discovery. The email addresses disclosed by the manipulation trick are not associated with a Facebook account. There could be a few reasons for this, but there’s no clear explanation, as Facebook isn’t talking.
One possible explanation is that the email addresses are in the Facebook system because they were added to someone’s block list. Facebook’s privacy settings allow you to enter a user’s email address into your block list, so that they are prevented from viewing your profile. If the email being blocked isn’t presently associated with a Facebook account, it is stored. Later, if the email is used, the block will go into effect automatically.
Another possible reason is that the addresses disclosed are contacts added to accounts when a user utilizes the “Find People You Email” function. With this option, you can import your address book, and use your email contacts as a starting point to add friends.
Either way, the fact that the email addresses discovered were not associated with a Facebook account was confirmed by Facebook themselves in January, when Antonio reported his findings to the social networking portal.
In the email conversation forwarded to The Tech Herald, Facebook acknowledged that they investigated his report, but added that an email address will only appear as Antonio described if the ID used is not associated with a Facebook user.
“Please rest assured that we have security precautions in place that would prevent someone from attempting to use the message system to gather email addresses in this manner,” added the response.
When asked why the email addresses were still being displayed if the owner was not a Facebook user, the only response given was that, “…we cannot release any information regarding another user or email address that we may have in our system.”
With regard to the security mentioned, when we tested Antonio’s discovery, we encountered CAPTCHA-based security. We’re hoping there’s more security in place that we didn’t notice. We were easily able to confirm entirely too many addresses in a short amount of time for simple CAPTCHAs to have caused us any real problems.
CAPTACHA-based security has been proven weak in the past, and considering the discovery last week by AVG’s Roger Thompson, where evidence suggested that criminals have discovered a way to automate the creation of Facebook accounts, this layer of protection may have already been broken.
When talking about the seemingly auto-created Facebook accounts, Thompson mentioned that one possible way for the criminals to pull such a feat off was by cracking the CAPCHA used on the site. As things stand, Facebook is still looking into how the accounts were created.
We’ve emailed Facebook to ask about the security measures in place to prevent email harvesting, and to ask once again if they would explain why this URL manipulation allows email addresses that are apparently not associated with a Facebook account to be visible. If we hear back, we’ll update this article.