
Facebook name extraction based on email/wrong password + POC - iamelgringo
http://seclists.org/fulldisclosure/2010/Aug/130
======
tptacek
In almost any web app you'd write this up as "Sev: Low", "Impact: Information
Leakage".

But this isn't any web app; it's the most popular complex web app in the
world. It seems like there's zero likelihood Facebook doesn't (a) know about
this and (b) want Facebook to work this way. Presumably, it helps people like
my mom.

It was always a bad idea to associate your secret anonymous email address that
you use to send ransom letters with your Facebook account.

~~~
patio11
There are a lot of tradeoffs one makes with dealing with nontechnical
customers which geeks might hate. Geeks do not have to worry about the
"Facebook login" fiasco, but if you sell to my customers, are Paypal, etc,
then login issues are a core business requirement. Note that site abandonment
among users unable to log in is ridiculously high (I should track this...) and
every time that happens Facebook loses revenue, shareholder value, and network
effects.

------
joshfraser
Um, it's easier than that. You can do this with the graph API. Although
current (but undocumented) rate limits make it infeasible to do much with it.

[https://graph.facebook.com/search?q=josh@eventvue.com&ty...](https://graph.facebook.com/search?q=josh@eventvue.com&type=user&access_token=..).

<http://developers.facebook.com/docs/api#search>

------
antileet
The author states it might be useful in guessing valid company email
addresses. Isn't it easier to create a CSV/Outlook compatible file containing
hundreds of generated addresses, and then ask Facebook to find new friends for
you. Plus, that will allow you to check many more adresses before Facebook
senses something silly and disables the login form - which would happen if you
use the login-form method.

Heck, this is perfectly possible with LinkedIn and twitter as well. I don't
understand what the fuss is.

~~~
pyre
The author states that this does not check a user's privacy settings, but as
another participant in the thread points out[1], importing an address book to
look for new contacts respects privacy settings (i.e. a 'new contact' will
only show up if their privacy settings allow their profile to show up in
search results).

[1]: <http://seclists.org/fulldisclosure/2010/Aug/137>

~~~
antileet
Right. That makes sense.

However, since this solution isn't spectacularly scalable, I'm not too
worried.

------
hackount
Since GMail released their small revision the other day that put a more
"GMail-like" GUI on the Contacts section, I've been sorting and completing my
list of contacts. I had 5 ambiguous e-mail addresses left that I couldn't
pinpoint who they belonged to. After reading this article I decided to give
this Facebook feature/vulnerability a try. 4 out of 5 previously anonymous
e-mails are now verified with their first, last name, and photo (it turns out
I know all 4 in person so in all likelihood the results are correct). Not too
shabby, and a little bit scary.

~~~
PidGin128
What did you find when you searched for the address in your conversations?

------
dotBen
RapLeaf offers a service where you give it an email address and it returns the
Facebook, Twitter and other social media accounts associated with it.

Now, I'm not saying they are using _this_ vector, but then they must be using
something like this because how else could they offer the service. (This also
means there might be other vectors to achieve this end result).

To me, this also makes me pleased that I use a unique email address against my
email domain for each site I use.

~~~
ehsanul
Rapportive also does this.

~~~
newman314
Actually, I find this pretty creepy.

See the following including a link to see what is available via email address
lookup.

[http://jeffreykishner.com/2010/03/what-anyone-can-know-
just-...](http://jeffreykishner.com/2010/03/what-anyone-can-know-just-from-
your-email-address-rapportive-and-rapleaf/)
[http://petewarden.typepad.com/searchbrowser/2009/12/what-
can...](http://petewarden.typepad.com/searchbrowser/2009/12/what-can-i-find-
out-about-you-if-i-know-your-email-address.html)
<http://web.mailana.com/labs/findbyemail/>

------
SpikeGronim
I agree with the overall sentiment that this is a relatively minor
vulnerability.

It could be put to malicious use by phishers. If I know your full name I can
make more realistic phishing emails.

~~~
metachris
Well the problem with this vulnerability is that many spammers have millions
of email addresses, only a fraction of them with the full name. With this
Facebook issue they will get tens or hundreds of thousands of names connected,
and will further resell this database.

This seems like quite an asset to me, because spam mails with the real name
will have a much higher engagement.

~~~
ams6110
I always use my real name when I send email, so email coming to me with my
name on it is unremarkable and does not give me any reason to think it's
"safe."

------
jasonneal
I'm not so sure why this even matters. If you search for someone based on
their email address within Facebook, it comes up with their name and photo as
well. In my case, it's a feature. But true there is no point to it giving this
information on the wrong password screen, but if someone wants this
information they can still get it using Facebook.

Maybe Google should worry about this too...I usually type unfamiliar email
addresses into Google and end up with far more than just a name and a picture.

~~~
chc
You can block your profile from coming up in searches with Facebook's privacy
settings.

------
user24
nice find. The followup is correct; slight mispellings are corrected, allowing
further guesses.

This coupled with the fbnames release earlier makes me think it's only a
matter of time before someone crawls and "open sources" all accessible
personal data from facebook.

~~~
jamesseda
I don't know that "marketing research" companies are not already generating
databases from FB data like this

------
marte
The same can be done for Gmail (and probably Google Apps) users through GDocs.
Just share a document to an email address, and GDocs will show you their name.

~~~
uxp
But that ends up sending an email to the account you extend the sharing
request to. It might raise a red flag to some people.

This 'vulnerability' doesn't contact the victim, so it can be done in
combination with, like the report said, a phishing scheme to gain the real
names of the users of an email list.

I'm not saying that this is some massive privacy issue. It opens up a vector
to make other attacks, specifically email based attacks, seem more legitimate,
which is a bad thing.

~~~
marte
There is an option to not send an email. And it's not a request - once you
share it, the recipient doesn't need to accept. The users can see them in
their GDocs list though. But if you quickly unshare them and they're not
currently viewing their list, they'll be unaware of it.

~~~
uxp
I didn't think that it was an option, but I did check. You are right. Of the
three checkbox options, notifying the recipient of a share invitation is the
only one checked by default.

Either way, my main point stands. This isn't a major privacy issue. Though,
I've always been taught that when developing an authentication mechanism, one
should not distinguish between a bad password or bad email address/user name
in the error message provided to the user. Specifically the latter, since a
"Invalid password supplied for John Doe" gives confirmation that the username
provided is valid, and a bruteforce or dictionary attack on the name will
probably successful.

------
julianz
Not sure if that's only on Facebook US servers or it's been disabled already,
but from here in NZ there's no such info leakage, you get a very boring error
page.

The only thing you can discover is whether the email address you entered is a
valid Facebook login or not - you get a different error response for an email
address that's not a valid Facebook login.

~~~
dagw
It works exactly as claimed from Sweden at least. It returns my full name a
profile pic and corrects minor typos.

------
randallsquared
I guess they fixed it? It's not showing anything about me on a wrong
password...

------
mildweed
Easier: install Rapportive.

