This is an account recovery endpoint used if your account was hacked for example.
Your name, profile picture and a few other things are considered public information so there is no security issue displaying them. See: https://www.facebook.com/help/167709519956542
The scenario is: you are not able to get into your rightful facebook account but you know some information (phone, email) that is associated with it. If you are coming from a semi-trusted computer/ip/browser/etc that has a history of being associated with your account Facebook displays some public information about that account to ensure one doesn't try to recover the wrong account. The posts here about people getting differing results when hitting this endpoint with other peoples information are a result of these factors.
Important note: If a user you are initiating a recovery for has their "who can look me up" privacy setting set to "everyone" then we will always display such information for that user. That setting discussed a bit more here: https://www.facebook.com/help/www/131297846947406
Hope that clears things up, this is one of the most common false positives we get via our bug bounty program and I certainly see how it can be alarming at first.
It can be, for a plurality of reasons. Phone books, court records, etc.
If you try someone else's phone number, it has a placeholder profile picture, says "Facebook User", and has censored out email addresses to send a recovery email too.
I'm guessing everyone here is using their own phone number to test with which yields a lot more information than if you were to try it with a phone number of a friend whose never logged into Facebook from your network.
Snapchat Username --> Snapchat Phone Number --> Facebook Account
I hope people are behaving.
Sure enough, in a few days, I received several topless pictures from a random account. The girl typed in a name which she thought belonged to her friend, but instead entered my new profile name.
I thought this was hilarious, my girlfriend however, didn't. Just one random situation.
It doesn't do a common FB database wide search just from your contacts/FB friends.
I was informed that this was a design decision since previously used IPs are more trustworthy than any new IP. I considered this a design flaw and reported since large institutions are typically behind a NAT and they become susceptible to targeted attacks.
What law do you think this violates?
An example of a poor trade for experience vs security.
> You can see your name and profile picture because you're using a computer network you've logged in on before.
At least, that's what I saw when I did it on myself in an incognito tab.
if you're going to do something that might raise the ire of someone sophisticated, don't do it online with your true and/or trusted persona.
now if you're complaining the waterline for "sophisticated" is getting lower...well...welcome to technology :)