Get ready. Facebook has a new mega leak in its hands


The social media giant, which is still hit by the number of phone numbers from 500 million Facebook users last month, is grappling with a new privacy crisis: a tool that is massaging Facebook accounts with their associated e- Mail addresses linked even if users choose Settings to prevent them from being public.

A video posted on Tuesday showed a researcher demonstrating a tool called Facebook Email Search v1.0 that could link Facebook accounts to up to 5 million email addresses per day. The researcher, who said he went public after Facebook said the weakness he found was “important” enough to be fixed, fed the tool a list of 65,000 email addresses and watched what happened next.

“As you can see from the output log here, I’m getting a significant amount of results,” said the researcher when the video showed the tool crunching the address list. “I spent maybe $ 10 buying about 200 Facebook accounts. And within three minutes, I managed to do it for 6,000 [email] Accounts. “

Ars received the video on condition that the video would not be shared. A full audio transcript appears at the end of this post.

Drop the ball

In a statement, Facebook said, “It appears that we mistakenly closed this bug premiums report before forwarding it to the appropriate team. We appreciate the researcher sharing the information and we are taking first steps to address this issue while we track to better understand their problems. ” Results.”

A Facebook representative didn’t respond to a question about whether the company told the researcher that the vulnerability wasn’t important enough to warrant a resolution. The representative said Facebook engineers believe they mitigated the leak by disabling the technique shown in the video.


The researcher, who Ars agreed not to identify himself, said Facebook email search was exploiting a front-end vulnerability he recently reported to Facebook, but “they do.” [Facebook] Don’t consider it important enough to be patched. “Earlier this year, Facebook had a similar vulnerability that was eventually fixed.

“This is essentially the same vulnerability,” says the researcher. “And for some reason they told me directly that they would not do anything about it, even though I was demonstrating this to Facebook and bringing it to their attention.”

On twitter

Facebook has been targeted not only to provide the funding for these huge collections of data, but also how it is actively trying to promote the idea that they will do minimal harm to Facebook users. An email that Facebook accidentally sent to a reporter for the Dutch publication DataNews instructed the PR staff to “define this as a broad industry issue and normalize the fact that this activity takes place regularly”. Facebook has also made a distinction between scraping and hacks or breaks.

It’s not clear if anyone actively exploited this bug to build a huge database, but it certainly wouldn’t be surprising. “I believe this is a pretty dangerous vulnerability and I would like to help stop it,” said the researcher.

Here is the written transcript of the video:

What I want to demonstrate here is an active vulnerability within Facebook that allows malicious users to query email addresses within Facebook and have Facebook return any matching users.

Um, this works with a Facebook front-end vulnerability that I reported to them that made them aware that they are not important enough to be patched, significant, er, privacy breach and one big problem.

This method is currently used by software currently available in the hacking community.

Currently it is used to compromise Facebook accounts to take over page groups and Facebook advertising accounts to obviously make money. Um, I didn’t set up this visual example in any JS.

What I did here is take 250 Facebook accounts, newly registered Facebook accounts that I bought online for about $ 10.

Um, I checked or asked for 65,000 email addresses. And as you can see in the output log here, I’m getting a significant amount of results.

If I look at the output file, you can see that I have a User ID name and email address that match the input email addresses I used. Now, like I said, I’ve spent maybe $ 10 buying about 200 Facebook accounts with two. And within three minutes, I managed to do this for 6,000 accounts.

I’ve tested this on a larger scale and it is possible to use it to extract up to 5 million email addresses per day.

There was an existing security vulnerability on Facebook earlier this year that has been fixed. This is essentially the exact same vulnerability. And for some reason they directly told me they won’t do anything about it, even though I am demonstrating this to Facebook and bringing it to their attention.

So I reach out to people like you in the hope that you can use your influence or contacts to stop this because I am very, very confident.

Not only is this a major invasion of privacy, but it also results in another, yet another, large data dump, including email, which allows unwanted parties to not only send that email to User ID matches, but Also attach the email address for phone numbers that were available for previous violations. I’m very excited to demonstrate the vulnerability in the front end so you can see how this works.

I’m not going to show it in this video just because I don’t want the video to be exploited, um, I don’t want the method to be exploited, but if I would like to do it to demonstrate it, um, if that is necessary, but as you can see you can see that more and more is being spent. I believe this is a pretty dangerous vulnerability and I would love to help stop it.


Steven Gregory