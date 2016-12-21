Hacker News new | comments | show | ask | jobs | submit login
Disclosing the Primary Email address for each Facebook user (dawgyg.com)
111 points by dawgyg 8 hours ago | hide | past | web | 21 comments | favorite





Can we please skip this dance "I think this Facebook bug is worth more than XY dollars" next time, thanks.

This bug could have been used to make so much money.

1. Find a group on Facebook of users you're interested in.

2. Do this bug to get all of their emails.

3. Building a lookalike audience from these emails.

Goldmine.

I'd be willing to bet a five figure sum that this plan would work either not at all, or for less than a week.

The vulnerability itself is interesting, and more prone to monetization utility than the standard fare of bug bounty reports that get posted here, so I'll give you that.

However, Facebook has one of the most sophisticated anti-scraping/crawling systems I have ever seen in production. Automating this with any non-trivial scale would immediately alert several teams, especially in security, risk, QA and analytics.

This is assuming that you could realistically automate the act of inviting and uninviting non-friends without any penalization. In fact, what would probably happen is a rate-limit trigger that would temporarily knock out access from your IP address. There are also account-level rate limits, not just IP-level.

Realistically, I'd use this for targeting a specific person in order to get their private contact information. I suppose that could actually be worth something, like if someone wanted a well known VC's private email address. But it's an odd length to go to nowadays when most professional emails are pretty guessable.

If only you could build a valuable product with nothing more than a list of email addresses.

Is this sarcasm? Is this not one of the main strategies in lead generation?

Linking email addresses to facebook accounts to groups they're involved in and developing target markets for certain users and selling those lists (ex. gamers) to less-than-reputable and maybe even reputable marketing companies seems like it could be profitable... Maybe I'm naive?

Who said anything about building a product.

  1. Find niche on facebook
  2. Find appropriate nice product with affiliate scheme
  3. Harvest Emails
  4. Send email with product ( low conversion, but who cares? )
  5. Repeat

You could send emails to FB users directly to their facebook email (don't know whether this exists anymore). In 99% these emails were relayed directly to the users mailbox (probably with the added benefit of coming from the facebook.com domain).

Many reported this, but it was not eligible for bug bounty, it was a feature according to FB, even though it circumvented their pay 1$ to deliver your message to someone you are not friend with.

Emails sent to a user's Facebook email address goes to their messages (FB Messenger) mailbox, but they may receive a notification via their personal email.

Can you not build a lookalike audience based on a group now?

From my reading of the article it seems like you had to be admin of the group in question because the exploit seems to take advantage of a bug with inviting users to that group. I don't think the vector you describe would work.

OK, there are 2 groups here: Group A, which you're using as a list of users that are interested in a subject. Group B is used to perform the bug, and doesn't have to be an active group at all---You could have just created it for the purpose of performing the exploit.

Ahh my mistake. I didn't realise that you could just retrieve a full list of users for a group (I just tried it and you can) I suspect this API may be fairly closely watched however.

Seems like you should have gotten more than $5k. Great work and nice write-up.

i think its fair. all you will get is the email somebody used to sign in to facebook, and if you tried to do this at mass im sure you would trigger some automated system.

if you really want to target somebody particular there you can get the email address of that person. i have my gmail account from 2004, and at this point, it is resold million times.

all it takes is somebody that i communicated with to do something stupid like allow some app to scan the contact book and my email is in the wild.

I had the same thought. Seems like the value of such an exploit could be a lot more than $5k to the right people in the open market.

The macro effect is that when someone with lower moral/ethical standards discovers such an exploit it's more likely the find will end up being sold for more money and ultimately used maliciously in the wild.

The more $fb pays the greater the incentive will be for shady people to responsibly report it to $fb.

Relying on good samaritans doesn't seem like a sustainable or particularly responsible solution to taking care of those trusting the Facebook platform to not leak their private information.

Seems like the value of such an exploit could be a lot more than $5k to the right people in the open market.

Probably not. What would the buyer do with it? It's probably very hard to mass scrape FB (rate limiting would kick in), and there are other ways of getting a specific email address.

Right, the slack group is probably a much bigger gold mine so this was probably lower hanging fruit for the occasional easy liquidity

Slightly off topic but you can search FB by using a phone number, kinda like reverse lookup.

There are more bugs. Wrong password page will reveal facebook user associated with an email..

So will just searching for the email while you're logged in. I believe that's expected behaviour.

typing an email address into facebook search will reveal facebook user. that is not a secret

