
Disclosing the Primary Email address for each Facebook user - dawgyg
http://dawgyg.com/2016/12/21/disclosing-the-primary-email-address-for-each-facebook-user/
======
Jake232
This bug could have been used to make _so much money_.

1\. Find a group on Facebook of users you're interested in.

2\. Do this bug to get all of their emails.

3\. Building a lookalike audience from these emails.

Goldmine.

~~~
dsacco
I'd be willing to bet a five figure sum that this plan would work either not
at all, or for less than a week.

The vulnerability itself is interesting, and more prone to monetization
utility than the standard fare of bug bounty reports that get posted here, so
I'll give you that.

However, Facebook has one of the most sophisticated anti-scraping/crawling
systems I have ever seen in production. Automating this with any non-trivial
scale would immediately alert several teams, especially in security, risk, QA
and analytics.

This is assuming that you could realistically automate the act of inviting and
uninviting non-friends without any penalization. In fact, what would probably
happen is a rate-limit trigger that would temporarily knock out access from
your IP address. There are also account-level rate limits, not just IP-level.

Realistically, I'd use this for targeting a specific person in order to get
their private contact information. I suppose that could actually be worth
something, like if someone wanted a well known VC's private email address. But
it's an odd length to go to nowadays when most professional emails are pretty
guessable.

~~~
mysterypie
> Facebook has one of the most sophisticated anti-scraping/crawling systems

Not only that, Facebook has a such a sophisticated security design that
prevents leaking of private information in the first place. Oh, wait...
/Irony.

I don't understand why FB can be so sloppy in one aspect of security and yet
you claim that they are brilliant in another aspect of security. It's
possible. It's possible that some guy never washes his hands, his hands are
completely filthy, but his clothes are always impeccably clean. That's
possible too. Just unlikely.

~~~
dsacco
You started with two mistaken premises, which makes your analogy a poor
comparison:

1\. Facebook doesn't have "sloppy" security. The company and its software are
massive and have many, many participants involved in the product and software
development loop. You have unrealistic expectations for a company of that size
with a consumer-facing product. Facebook continually recruits the best
available talent in the security industry and empowers them to do their jobs
without shooting themselves in the feet or getting kneecapped by cavalier
product design. They also produce some of the best security research and
implement best practices wherever they can.

I want you to look through any of Facebook's main or subsidiary applications
and tell me how quickly you can identify CSRF, XSS, SQL injection, or a
logical ACL failure like the one presented in this report. What you are not
seeing is the utter deluge of bug bounty reports Facebook receives as a
company and the nearly impeccable track record it has. The company receives
over 80,000 reports each year, and fewer than 10% are valid security
vulnerabilities. A tiny portion of those could be classified as "high" or
"critical" severity.

You are also not seeing the meticulous, continually running machine that is
the overall Facebook security organization. Not only are bug bounty
participants aggressively recruited at Facebook, they are frequently put in
charge of maintaining one of the most successful and recognizable bug bounty
programs in the industry. Have a read through Ryan McGeehan's writings and
presentations for a bit of insight into how much investment Facebook has put
into incident response and security tooling in the past decade.

2\. On a more technical level: rate-limiting is vastly simpler than overall
security vulnerability resolution. It is comparatively straightforward to
implement a rate limiting system with enough sophistication to combat a
sizeable botnet attempting to crawl through a web application or automate user
actions. Facebook does this using a variety of heuristics and even machine
learning, with collaboration between the security (incident response), risk
and data analysis teams doing the heavy lifting. While the work itself might
not be easy, the deliberables and outcomes for such a system are very clear.
In contrast, application security is a hard problem which primarily results
from a software implementation that doesn't match the design spec (logical
errors) or a design spec which fails to correctly incorporate a risk
assessment. It is _not_ straightforward to eliminate every vulnerability,
because you can't just write a script that proves immunity from the OWASP Top
Ten and be done with it.

------
everly
Seems like you should have gotten more than $5k. Great work and nice write-up.

~~~
jaytaylor
I had the same thought. Seems like the value of such an exploit could be a lot
more than $5k to the right people in the open market.

The macro effect is that when someone with lower moral/ethical standards
discovers such an exploit it's more likely the find will end up being sold for
more money and ultimately used maliciously in the wild.

The more $fb pays the greater the incentive will be for shady people to
responsibly report it to $fb.

Relying on good samaritans doesn't seem like a sustainable or particularly
responsible solution to taking care of those trusting the Facebook platform to
not leak their private information.

~~~
icebraining
_Seems like the value of such an exploit could be a lot more than $5k to the
right people in the open market._

Probably not. What would the buyer do with it? It's probably very hard to mass
scrape FB (rate limiting would kick in), and there are other ways of getting a
specific email address.

~~~
jaytaylor
It's about more than just email addresses. This is the policy applied to all
exploits for their entire platform.

~~~
icebraining
How so? They paid a $15k bounty earlier this year.

~~~
jaytaylor
Perhaps it's my mistake then, apologies. I didn't know it was a variable rate!

------
chiefalchemist
Slightly off topic but you can search FB by using a phone number, kinda like
reverse lookup.

~~~
djsumdog
at one time you could search by e-mail address, but that was removed years
ago.

~~~
xadhominemx
I think you still can?

~~~
rbritton
You can, so long as the privacy setting "Who can look you up using the email
address you provided?" is set to a value that exposes it.

------
dimino
You censor an email address in the image but not in the URL.

Don't know of any other way than posting here to contact you.

~~~
an_account_name
It appears to be the researcher's own address. Also, the censoring in the
image is Facebook's, not the researcher's - this discrepancy is exactly the
bug they're disclosing.

~~~
dawgyg
Beat me to the reasoning for that lol thanks! But yea as he stated, it's one
of my work email addresses I use for testing so figured the less censoring I
did the better to show the full impact etc.

~~~
dimino
Oh yeah of course, sorry.

------
jankotek
There are more bugs. Wrong password page will reveal facebook user associated
with an email..

~~~
csydas
Facebook's Wrong Password page has a bunch of weird behavior that, as a lay
person, I disagree with.

Entering an old password into Facebook will tell you as such [1]. I can't
really think of a practical attack for this towards facebook, but I'm really
weary of any system that reveals information about passwords, even though I
somewhat feel I'm being overly paranoid. Password recycling just seems to be
too prevalent to allow me to ignore this, even though it seems impractical to
me. I guess I just don't like that it reveals password information.

Enough failed logins automatically sends a temporary login pin to the email on
file. Again, I feel that in a practical sense this isn't a big issue since if
you can get access to the email that has the login pin you also likely have
access to the victim's machine that is already logged in, but it still feels
like a weird practice to automatically generate temporary credentials without
being asked.

[1] - [http://i.imgur.com/J7YTJqY.png](http://i.imgur.com/J7YTJqY.png)

~~~
tedunangst
Confirmation of old password isn't such a big deal. If you are concerned that
a password was shared with another site and not changed, the attacker has an
easier test: use the password at the other site.

On the other hand, major utility boost for users. "I KNOW this is my
password!" Actually, it was your password before you changed it. "Oh right."

I know I do this quite frequently. Enter password. (Wrong.) Guess I have to
change it. Reset. (New password must be different than existing password.) My
"new" password is the one I changed it to last time, before forgetting.

~~~
philipodonnell
This happens to me with arcane password requirements that only tell you the
requirements after you reset it.

try various passwords -> "Invalid password" -> send reset password email ->
click email -> "passwords require a special character AND a number AND an
unprintable character" -> me: ooooh, its that one -> enter it -> "password
already used" -> enter another password I'll definitely forget next time.

There are websites I need so occasionally that I'm sure that I have never
logged in without resetting my password.

------
zeroer
Facebook doesn't even have my primary email address.

~~~
anigbrowl
Why would you equate 'the primary email address' with _your_ primary email
address rather than the one FB thinks of as the primary? You're like a guy who
sees a sign saying 'beware of pickpockets' and boasts about how he's smarter
than that because he keeps his money in his shoe.

~~~
zeroer
> You're like a guy who sees a sign saying 'beware of pickpockets' and boasts
> about how he's smarter than that because he keeps his money in his shoe.

That's a beautiful analogy (and spot on). I'm stealing it.

~~~
anigbrowl
Did you know that this behavior is widespread enough that pickpockets
sometimes put up their own warning signs, so as to observe where people
unconsciously touch their wallet through their outer clothes when they
encounter the sign?

------
shp0ngle
Can we please skip this dance "I think this Facebook bug is worth more than XY
dollars" next time, thanks.

~~~
daveguy
Did I miss it? I don't see anywhere the author said "I think this facebook bug
is worth more than XY dollars". It is obviously worth more than the $5,000
bounty given to someone willing to exploit it. Being able to harvest the email
address of any arbitrary Facebook user would be worth much more than $5,000.

If bug bounty hunters are making a calculation of whether to report or sell on
the black market, a bug like this would fetch a very large price. I hope
people don't add shades of gray, or stripes of black, to their hats with the
discrepancies that are regularly reported.

~~~
dawgyg
Even at $5000 this set a personal high payout record for me. The easy legal
money is better than taking a risk in a grey area such as selling exploits on
the darknet. May not be as profitable this way, but I have no complaints and
an extra 5k 2 days before xmas is a hell of a gift imo.

~~~
benbristow
Also karma compared to selling the exploit to dodgy people on the darknet.

~~~
dawgyg
Exactly. And with my past it is much better to stick to the right side and not
venture into grey areas. Prison is not fun, so would really like to avoid it
more in the future.

