Wise since last month’s store of 500 million Facebook users’ phone numbers, the social media giant has a new privacy crisis to deal with: a tool that broadly links Facebook accounts to addresses email, even when users choose settings to prevent them from being public.
A video released on Tuesday showed a researcher demonstrating a tool called Facebook Email Search v1.0, which he said could connect Facebook accounts to up to 5 million email addresses a day. The researcher – who said it became public after Facebook said it did not believe the weakness it found was “significant” enough to be remedied – provided the tool with a list of 65,000 email addresses and he watched what happened next.
“As you can see from the output log here, I get a significant amount of results from these,” the researcher said, as the video showed the tool throwing out the address list. “I spent maybe $ 10 to buy 200 Facebook accounts. And in three minutes, I managed to do that for 6,000 [email] accounts. “
Ars obtained the video on condition that the video not be distributed. A full audio transcript appears at the end of this post.
Throwing the ball
In a statement, Facebook said: “It appears that I erroneously closed this error rewards report before directing it to the appropriate team. We appreciate that the researcher shares the information and take initial action to alleviate this problem as we seek to better understand the findings. “
A Facebook representative did not answer a question that asked if the company told the researcher that it did not consider the vulnerability important enough to justify a solution. The representative said that Facebook engineers believe that they mitigated the leak by disabling the technique presented in the video.
The researcher, whom Ars agreed not to identify, said that Facebook Email Search exploited a front-end vulnerability that he recently reported to Facebook, but that “they [Facebook] do not consider it important enough to be correct. “Earlier this year, Facebook had a similar vulnerability that was eventually fixed.
“This is essentially the exact same vulnerability,” says the researcher. “And for some reason, despite the fact that I demonstrated this to Facebook and made them aware, they told me directly that they would not take action against it.”
On Twitter
Facebook has come under fire not only for providing the means for these massive data collections, but also for the way it is actively trying to promote the idea that they do minimal harm to Facebook users. A Facebook email accidentally sent to a reporter in the Dutch publication DataNews instructed public relations people to “frame this as a major problem in the industry and to normalize the fact that this activity takes place regularly.” Facebook also made the distinction between scraping and hacks or violations.
It is not clear if anyone actively exploited this bug to build a massive database, but it would certainly not be surprising. “I think this is a pretty dangerous vulnerability and I would like help to stop this,” the researcher said.
Here is the written transcript of the video:
So what I would like to demonstrate here is an active vulnerability within Facebook, which allows malicious users to query, um, Facebook email addresses and have Facebook return, any user who matches.
Um, this works with a front-end vulnerability with Facebook, which I reported on, made them aware of, um, that they don’t consider themselves important enough to be correct, uh, what I would consider be quite significant, uh, breach of privacy and a big issue.
This method is currently used by software, which is available right now in the hacking community.
It is currently used to compromise Facebook accounts in order to take over page groups and, uh, Facebook advertising accounts, obviously for monetary gains. Um, I set up this visual example in JS.
What I did here is I took 250 Facebook accounts, newly registered Facebook accounts, which I bought online for about $ 10.
Hmmm, I queryed or queryed 65,000 email addresses. And, as you can see from the output log here, I get a significant amount of results from them.
If I take a look at the output file, you can see that I have a username and email address that match the email addresses I entered, which I used. Now I have, as I say, spent maybe $ 10 using two to buy 200 Facebook accounts. And within three minutes, I was able to do that for 6,000 accounts.
I’ve tested this on a larger scale and can use it to feasibly extract up to 5 million email addresses a day.
Now there was an existing vulnerability on Facebook, uh, earlier this year that was fixed. This is essentially the exact same vulnerability. And, for some reason, despite the fact that I demonstrated this to Facebook and made them aware, um, they told me directly that they would not take action against it.
So I’m addressing people like you, hoping you can use your influence or contacts to stop this, because I’m very, very confident.
This is not only a huge breach of privacy, but this will result in a new, another big data download, including emails, that will allow unwanted parties not only to have this message, email, to user ID matches, but also to attach them. The email address of the phone numbers that were available in previous violations, um, I’m quite happy to demonstrate the front-end vulnerability, so you can see how this works.
I won’t show it in this video simply because I don’t want the video to be, I don’t want the method to be exploited, but if I’d be happy enough to prove it, um, if necessary, but as you can see, you can see continues to produce more and more. I think this is a pretty dangerous vulnerability and I would like help to stop this.