Still harrowing from last month’s dump of phone numbers from 500 million Facebook users, the social media giant faces another privacy crisis: a tool that widely links Facebook accounts to their associated email addresses, even when users choose settings to to prevent them from being made public.
A video circulated on Tuesday showed a researcher demonstrating a tool called Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher — who said he went public after Facebook said it didn’t think the weakness it found was “important” enough to fix — gave the tool a list of 65,000 email addresses and saw what happened next.
“As you can see from the output log here, I get a significant number of results from them,” the researcher said as the video showed the tool cracking the mailing list. “I spent maybe $10 to buy 200 Facebook accounts. And in three minutes I managed to do this for 6,000 [email] bills.”
Ars obtained the video on the condition that the video would not be shared. A full audio transcript appears at the end of this message.
Drop the ball
In a statement, Facebook said: “It appears that we erroneously closed this bug bounty report before sending it to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to address this issue, as we follow up to better understand their findings.”
A Facebook representative did not respond to a question about whether the company told the researcher that it did not consider the vulnerability important enough to warrant a fix. The rep said Facebook engineers believe they have fixed the leak by disabling the technique shown in the video.
The researcher, who agreed not to identify Ars, said that Facebook Email Search exploited a front-end vulnerability he recently reported to Facebook, but that “they [Facebook] deem not important enough to be patched.” Earlier this year, Facebook had a similar vulnerability that was eventually fixed.
“This is essentially the exact same vulnerability,” the researcher says. “And for some reason, despite me showing this to Facebook and making them aware of it, they have told me directly that they will not take any action against it.”
On Twitter
Facebook has come under fire not only for providing the resources for these massive sets of data, but also for the way it actively tries to promote the idea that they cause minimal harm to Facebook users. An email that Facebook accidentally sent to a reporter from the Dutch publication DataNews instructed public relations people to “see this as a broad industry problem and normalize the fact that this activity is happening regularly”. Facebook has also made the distinction between scraping and hacks or breaches.
It’s not clear if anyone has actively exploited this bug to build a massive database, but it certainly wouldn’t be surprising. “I believe this is a pretty dangerous vulnerability and I would like help to stop this,” the researcher said.
Here is the written transcript of the video:
So what I’m trying to demonstrate here is an active vulnerability within Facebook, which would allow malicious users to query email addresses within Facebook and have Facebook return all matching users.
Um, this works with a front-end vulnerability with Facebook, which I reported to them, made them aware of, um, that they don’t consider it important enough to be patched, uh, which I consider quite a significant, uh, privacy violation and a big problem.
This method is currently used by software, which is now available within the hacking community.
Currently, it’s being used to compromise Facebook accounts for the purpose of taking over page groups and, uh, Facebook ad accounts for obvious monetary gain. Um, I set up this visual example without JS.
What I’ve done here is I took 250 Facebook accounts, newly registered Facebook accounts, which I bought online for about $10.
Um, I’ve asked if I’m getting 65,000 email addresses. And as you can see from the output log here, I get a significant number of results from them.
If I look at the output file, you can see that I have a username and the email address that matches the email addresses entered that I used. Now, like I said, I spent maybe $10 with two to buy 200 Facebook accounts. And within three minutes I managed to do this for 6,000 accounts.
I have tested this on a larger scale and it is possible to use this to feasibly extract up to 5 million email addresses per day.
Now there was an existing vulnerability at Facebook earlier this year, which was patched. This is essentially the exact same vulnerability. And for some reason, despite me showing this to Facebook and making them aware of it, they have told me directly that they will not take any action against it.
So I’m reaching out to people like you, hoping that you can use your influence or contacts to stop this because I’m very confident in it.
Not only is this a massive invasion of privacy, but it will result in another, yet another major data dump, including emails, allowing unwanted parties to not only get these, email to user ID matches, but also can add the email address to phone numbers, which were available on previous breaches, I’m quite happy to demonstrate the vulnerability on the front so you can see how this works.
I’m not going to show it in this video, simply because I don’t want the video, er, I don’t want the method abused, but if I’d like to, to demonstrate it, er, if I need to, but as you can see you are seeing more and more output. I believe this is quite a dangerous vulnerability and I would like help to stop this.