Hacker News new | past | comments | ask | show | jobs | submit login
Facebook name extraction based on email/wrong password + POC (seclists.org)
143 points by iamelgringo on Aug 11, 2010 | hide | past | favorite | 27 comments



In almost any web app you'd write this up as "Sev: Low", "Impact: Information Leakage".

But this isn't any web app; it's the most popular complex web app in the world. It seems like there's zero likelihood Facebook doesn't (a) know about this and (b) want Facebook to work this way. Presumably, it helps people like my mom.

It was always a bad idea to associate your secret anonymous email address that you use to send ransom letters with your Facebook account.


There are a lot of tradeoffs one makes with dealing with nontechnical customers which geeks might hate. Geeks do not have to worry about the "Facebook login" fiasco, but if you sell to my customers, are Paypal, etc, then login issues are a core business requirement. Note that site abandonment among users unable to log in is ridiculously high (I should track this...) and every time that happens Facebook loses revenue, shareholder value, and network effects.


Um, it's easier than that. You can do this with the graph API. Although current (but undocumented) rate limits make it infeasible to do much with it.

https://graph.facebook.com/search?q=josh@eventvue.com&ty....

http://developers.facebook.com/docs/api#search


The author states it might be useful in guessing valid company email addresses. Isn't it easier to create a CSV/Outlook compatible file containing hundreds of generated addresses, and then ask Facebook to find new friends for you. Plus, that will allow you to check many more adresses before Facebook senses something silly and disables the login form - which would happen if you use the login-form method.

Heck, this is perfectly possible with LinkedIn and twitter as well. I don't understand what the fuss is.


The author states that this does not check a user's privacy settings, but as another participant in the thread points out[1], importing an address book to look for new contacts respects privacy settings (i.e. a 'new contact' will only show up if their privacy settings allow their profile to show up in search results).

[1]: http://seclists.org/fulldisclosure/2010/Aug/137


Right. That makes sense.

However, since this solution isn't spectacularly scalable, I'm not too worried.


Since GMail released their small revision the other day that put a more "GMail-like" GUI on the Contacts section, I've been sorting and completing my list of contacts. I had 5 ambiguous e-mail addresses left that I couldn't pinpoint who they belonged to. After reading this article I decided to give this Facebook feature/vulnerability a try. 4 out of 5 previously anonymous e-mails are now verified with their first, last name, and photo (it turns out I know all 4 in person so in all likelihood the results are correct). Not too shabby, and a little bit scary.


What did you find when you searched for the address in your conversations?


RapLeaf offers a service where you give it an email address and it returns the Facebook, Twitter and other social media accounts associated with it.

Now, I'm not saying they are using this vector, but then they must be using something like this because how else could they offer the service. (This also means there might be other vectors to achieve this end result).

To me, this also makes me pleased that I use a unique email address against my email domain for each site I use.


Rapportive also does this.


Actually, I find this pretty creepy.

See the following including a link to see what is available via email address lookup.

http://jeffreykishner.com/2010/03/what-anyone-can-know-just-... http://petewarden.typepad.com/searchbrowser/2009/12/what-can... http://web.mailana.com/labs/findbyemail/


I'm not so sure why this even matters. If you search for someone based on their email address within Facebook, it comes up with their name and photo as well. In my case, it's a feature. But true there is no point to it giving this information on the wrong password screen, but if someone wants this information they can still get it using Facebook.

Maybe Google should worry about this too...I usually type unfamiliar email addresses into Google and end up with far more than just a name and a picture.


You can block your profile from coming up in searches with Facebook's privacy settings.


I agree with the overall sentiment that this is a relatively minor vulnerability.

It could be put to malicious use by phishers. If I know your full name I can make more realistic phishing emails.


Well the problem with this vulnerability is that many spammers have millions of email addresses, only a fraction of them with the full name. With this Facebook issue they will get tens or hundreds of thousands of names connected, and will further resell this database.

This seems like quite an asset to me, because spam mails with the real name will have a much higher engagement.


I always use my real name when I send email, so email coming to me with my name on it is unremarkable and does not give me any reason to think it's "safe."


This is assuming I used my real name on Facebook.


nice find. The followup is correct; slight mispellings are corrected, allowing further guesses.

This coupled with the fbnames release earlier makes me think it's only a matter of time before someone crawls and "open sources" all accessible personal data from facebook.


I don't know that "marketing research" companies are not already generating databases from FB data like this


The same can be done for Gmail (and probably Google Apps) users through GDocs. Just share a document to an email address, and GDocs will show you their name.


But that ends up sending an email to the account you extend the sharing request to. It might raise a red flag to some people.

This 'vulnerability' doesn't contact the victim, so it can be done in combination with, like the report said, a phishing scheme to gain the real names of the users of an email list.

I'm not saying that this is some massive privacy issue. It opens up a vector to make other attacks, specifically email based attacks, seem more legitimate, which is a bad thing.


There is an option to not send an email. And it's not a request - once you share it, the recipient doesn't need to accept. The users can see them in their GDocs list though. But if you quickly unshare them and they're not currently viewing their list, they'll be unaware of it.


I didn't think that it was an option, but I did check. You are right. Of the three checkbox options, notifying the recipient of a share invitation is the only one checked by default.

Either way, my main point stands. This isn't a major privacy issue. Though, I've always been taught that when developing an authentication mechanism, one should not distinguish between a bad password or bad email address/user name in the error message provided to the user. Specifically the latter, since a "Invalid password supplied for John Doe" gives confirmation that the username provided is valid, and a bruteforce or dictionary attack on the name will probably successful.


Not sure if that's only on Facebook US servers or it's been disabled already, but from here in NZ there's no such info leakage, you get a very boring error page.

The only thing you can discover is whether the email address you entered is a valid Facebook login or not - you get a different error response for an email address that's not a valid Facebook login.


It works exactly as claimed from Sweden at least. It returns my full name a profile pic and corrects minor typos.


I guess they fixed it? It's not showing anything about me on a wrong password...


Easier: install Rapportive.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: