The social media giant, still poignant of the phone number dump of 500 million Facebook users, is facing a new privacy crisis: a tool that widely links the Facebook accounts associated with email addresses, even if users choose settings to prevent them from being public.
A video circulating Tuesday showed a researcher demonstrating a tool called Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher – who said he went public after Facebook said he didn’t think the weakness he found was “important” enough to be fixed – gave the tool a list of 65,000 email addresses and watched what happened next.
“As you can see from the output log, I get a significant number of results from it,” the researcher said as the video showed that the tool cracked the mailing list. “I spent maybe $ 10 to buy 200-odd Facebook accounts. And in three minutes I managed to do this for 6,000 [email] accounts. “
Ars obtained the video on the condition that the video is not shared. A full audio transcript will be displayed at the end of this post.
Drop the ball
In a statement, Facebook said, “It appears that we falsely closed this bug bounty report before going to the appropriate team. We appreciate the researcher sharing the information and are taking the first steps to address this issue as we follow up to better understand their information.
A Facebook representative did not respond to a question whether the company told the researcher that it did not consider the vulnerability important enough to warrant a fix. The rep said Facebook engineers think they mitigated the leak by disabling the tech from the video.
The researcher, who did not want to identify Ars, said that Facebook Email Search exploited a front-end vulnerability that he recently reported to Facebook, but that [Facebook] don’t think it’s important enough to be patched. Earlier this year, Facebook had a similar vulnerability that was eventually fixed.
“This is essentially the very same vulnerability,” says the researcher. “And for some reason, despite showing this to Facebook and making them aware of it, they immediately told me they won’t take any action against it.”
On Twitter
Facebook is under fire not only because it provides the resources for these massive data collections, but also the way it actively tries to promote the idea that they cause minimal harm to Facebook users. An email that Facebook accidentally sent to a reporter for the Dutch publication DataNews instructed PR people to “see this as a broad industry problem and normalize that this activity is common.” Facebook has also made the distinction between scraping and hacks or breaches.
It’s not clear if anyone actively exploited this bug to build a massive database, but it certainly wouldn’t be surprising. “I think this is a pretty dangerous vulnerability, and I would like help to stop it,” said the researcher.
Here’s the written transcript of the video:
So what I would like to demonstrate here is an active vulnerability within Facebook, allowing malicious users to query email addresses within Facebook and have Facebook return all matching users.
Um, this works with a front-end vulnerability with Facebook, which I reported to them, made them aware of, um, that they don’t care enough to be patched, um, which I would consider quite a significant violation of privacy and a major problem.
This method is currently used by software, which is now available within the hacking community.
Currently, it’s used to compromise Facebook accounts for the purpose of taking over page groups and, uh, Facebook ad accounts for obvious monetary gain. Um, I set up this visual example without JS.
What I did here is I took 250 Facebook accounts, newly registered Facebook accounts, which I bought online for about $ 10.
Um, I’ve asked if I’m requesting 65,000 email addresses. And as you can see from the output log here, I get a significant number of results from it.
When I look at the output file, you can see that I have a username and the email address that matches the entered email addresses I used. Now, as I said, I spent maybe $ 10 on two to buy 200-odd Facebook accounts. And within three minutes I managed to do this for 6,000 accounts.
I have tested this on a larger scale and it is possible to use this to extract feasibly up to 5 million email addresses per day.
Now there was an existing vulnerability with Facebook, er, earlier this year, that was patched. This is essentially the exact same vulnerability. And for some reason, despite showing this to Facebook and making them aware of it, um, they immediately told me they won’t take any action against it.
So I reach out to people like yourself in the hope that you can use your influence or contacts to stop this because I have a lot of faith in it.
Not only is this a massive invasion of privacy, but it will result in another, yet another, major data dump, including emails, allowing unwanted parties to not only have these email to user ID matches, but also be able to add the email address to phone numbers, which were available from previous breaches, um, I’m pretty happy to demonstrate the front-end vulnerability so you can see how this works.
I’m not going to show it in this video simply because I don’t want the video, uhm, I don’t want the method to be abused, but if I really love to, to demonstrate it, um, if necessary but as you can see the output keeps producing more and more. I think this is a pretty dangerous vulnerability and I would like help to stop it.