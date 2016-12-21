reply
1. Find a group on Facebook of users you're interested in.
2. Do this bug to get all of their emails.
3. Building a lookalike audience from these emails.
Goldmine.
The vulnerability itself is interesting, and more prone to monetization utility than the standard fare of bug bounty reports that get posted here, so I'll give you that.
However, Facebook has one of the most sophisticated anti-scraping/crawling systems I have ever seen in production. Automating this with any non-trivial scale would immediately alert several teams, especially in security, risk, QA and analytics.
This is assuming that you could realistically automate the act of inviting and uninviting non-friends without any penalization. In fact, what would probably happen is a rate-limit trigger that would temporarily knock out access from your IP address. There are also account-level rate limits, not just IP-level.
Realistically, I'd use this for targeting a specific person in order to get their private contact information. I suppose that could actually be worth something, like if someone wanted a well known VC's private email address. But it's an odd length to go to nowadays when most professional emails are pretty guessable.
Linking email addresses to facebook accounts to groups they're involved in and developing target markets for certain users and selling those lists (ex. gamers) to less-than-reputable and maybe even reputable marketing companies seems like it could be profitable... Maybe I'm naive?
1. Find niche on facebook
2. Find appropriate nice product with affiliate scheme
3. Harvest Emails
4. Send email with product ( low conversion, but who cares? )
5. Repeat
Many reported this, but it was not eligible for bug bounty, it was a feature according to FB, even though it circumvented their pay 1$ to deliver your message to someone you are not friend with.
if you really want to target somebody particular there you can get the email address of that person. i have my gmail account from 2004, and at this point, it is resold million times.
all it takes is somebody that i communicated with to do something stupid like allow some app to scan the contact book and my email is in the wild.
The macro effect is that when someone with lower moral/ethical standards discovers such an exploit it's more likely the find will end up being sold for more money and ultimately used maliciously in the wild.
The more $fb pays the greater the incentive will be for shady people to responsibly report it to $fb.
Relying on good samaritans doesn't seem like a sustainable or particularly responsible solution to taking care of those trusting the Facebook platform to not leak their private information.
Probably not. What would the buyer do with it? It's probably very hard to mass scrape FB (rate limiting would kick in), and there are other ways of getting a specific email address.
