Hacker News new | past | comments | ask | show | jobs | submit login
You can use Facebook to identify people by their email or phone number (facebook.com)
59 points by slashdotaccount on Jan 16, 2014 | hide | past | favorite | 38 comments

I work at facebook on the security team.

This is an account recovery endpoint used if your account was hacked for example.

Your name, profile picture and a few other things are considered public information so there is no security issue displaying them. See: https://www.facebook.com/help/167709519956542

Replying as discussion originally seemed to be about first/last/profile picture privacy.

The scenario is: you are not able to get into your rightful facebook account but you know some information (phone, email) that is associated with it. If you are coming from a semi-trusted computer/ip/browser/etc that has a history of being associated with your account Facebook displays some public information about that account to ensure one doesn't try to recover the wrong account. The posts here about people getting differing results when hitting this endpoint with other peoples information are a result of these factors.

Important note: If a user you are initiating a recovery for has their "who can look me up" privacy setting set to "everyone" then we will always display such information for that user. That setting discussed a bit more here: https://www.facebook.com/help/www/131297846947406

Hope that clears things up, this is one of the most common false positives we get via our bug bounty program and I certainly see how it can be alarming at first.

Then why isn't there search by private email address or private phone number functionality exposed for everyone to use and know about?

It is -- you can just type in an email or phone number in the normal Facebook search box.

Not if the user set them to private.

Yes, but the email address or phone number, is not. I would argue therefore, the information that the email or phone connects to the public information, is not.

No, personally identifiable information isn't public information. What's exposed here is still personal information that you decided to make public, but presumably with the users consent.

On Facebook, there are granular privacy settings to control who can search for you by email/phone number if you choose to use them. They're accessed by going to facebook.com/settings (dropdown arrow @ top right), then "Privacy", then "Who can look me up?" ...the analogy would be opting to have an unlisted phone number in the white pages back when they were printed on paper and arrived on your front doorstep.

> No, personally identifiable information isn't public information.

It can be, for a plurality of reasons. Phone books, court records, etc.

It appears this only works if you're using an account that you've already logged into from that IP address.

If you try someone else's phone number, it has a placeholder profile picture, says "Facebook User", and has censored out email addresses to send a recovery email too.

I'm guessing everyone here is using their own phone number to test with which yields a lot more information than if you were to try it with a phone number of a friend whose never logged into Facebook from your network.

This is not accurate. I was able to see the picture, name, and a partially censored email address for several contacts. I have no facebook account and I am certain none of those contacts have ever accessed the internet from this IP.

Pair this with the Snapchat leak, so you can go from:

Snapchat Username --> Snapchat Phone Number --> Facebook Account

I hope people are behaving.

Facebook profile photo -> google image search -> address or other accounts to attack

I am intrigued about situations in which you would have someone's Snapchat username, but so little of an idea of their name/network that you couldn't find them on Facebook with graph search.

A few months ago, I was trying to figure out what this Snapchat was all about, so I signed up with a fairly common username.

Sure enough, in a few days, I received several topless pictures from a random account. The girl typed in a name which she thought belonged to her friend, but instead entered my new profile name.

I thought this was hilarious, my girlfriend however, didn't. Just one random situation.

The contacts app on the iPhone does something like that last jump, where having a phone number + first name is enough for it to sometimes find the full FB profile and update the pic associated with the contact on the phone. I assume/hope it only works when they have their phone number public on their profile, though.

I guess for that to work you need to sync your Facebook Account and will only update/find full FB profile if they are in your friend list.

It doesn't do a common FB database wide search just from your contacts/FB friends.

Well, no. I have some fb profile (with photo) in my phone contacts of people that it's not in my friend list, but (probably) it's in my "friends of friends" list. So probably the latter is enough.

I had reported this to FB security last year when I found it was trivial to find partially masked email ids & phone numbers of anyone behind my Uni's gateway.

I was informed that this was a design decision since previously used IPs are more trustworthy than any new IP. I considered this a design flaw and reported since large institutions are typically behind a NAT and they become susceptible to targeted attacks.

This URL now redirects to the root of facebook.com, so I guess they've already disabled it.

First logout from Facebook, then re-visit the url.

Or use an Incognito window.

Still working for me.

Is this legal? Did I give consent to Facebook publicly associating this information in ToS?

What part of the Facebook ToS do you think this violates?

What law do you think this violates?

EU privacy laws explicitly forbids exposing photos (linked to personally identifiable information) without explicit consent, especially for people of minor age (the specific country laws may change a little, but the general sense is clear).

Surely agreeing to their ToS and proceeding past the point of agreeing to it explicit consents to anything that they put in there?

It definitely gives you much more information than you had when you started... It really shouldn't display name/photo.

An example of a poor trade for experience vs security.

It depends on the privacy settings of the user. I just tried this on myself and it did not show my name or photo. The most conspicuous thing it showed was a starred-out version of my old university email address, but that's my own fault for leaving it there.

I have my settings as restrictively-set as possible, and it showed my name, photo, and 'primary network'.

Facebook has an explanation on that page:

> You can see your name and profile picture because you're using a computer network you've logged in on before.

At least, that's what I saw when I did it on myself in an incognito tab.

That explanation does not inspire confidence -- I was able to retrieve the profile picture, name, networks, and barely-obfuscated email addresses of several contacts for whom it is impossible they have logged in from my network (on a VPN to the office) or my computer.

Are they "associated" with you? E.g. are they people Facebook could know you are friends with etc.?

privacy is dead.

if you're going to do something that might raise the ire of someone sophisticated, don't do it online with your true and/or trusted persona.

now if you're complaining the waterline for "sophisticated" is getting lower...well...welcome to technology :)

This discussion overlooks proxies, macchangers, firewalls, browsers, and pseudo identity...

I'll probably end up deleting my facebook account. Wait, is it even possible to do?

Somewhat. Disable it for really long time and then delete I guess.


Yes. You mark it for deletion and then don't log in for like 30 days and then it's actually deleted.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact