But a security researcher has detailed how he found a way to find out *any* Facebook user’s primary email address, regardless of their privacy settings, by exploiting a weakness on the social network.
Security researcher Stephen Sclafani described how he stumbled across the privacy hole while ambling through some old mailing lists.
One of the messages he came across contained a Facebook invitation reminder email, seemingly sent by accident when the user made the mistake of following Facebook’s advice to invite their entire contacts list to the social network:
What is interesting is the clickable URL at the bottom of the invite message.
When Sclafani clicked on the link, he was taken to a Facebook sign up page already filled in with the mailing list’s address and the name of the person who used the link to sign up for an account:
Sclafani took a closer look at the link, and discovered something interesting:
The link contained two parameters: “re” and “mid”:
Changing the re parameter did nothing; however, changing parts of the mid parameter resulted in other addresses being displayed. Taking a closer at the parameter, its value was actually a string of values with “G” acting as a delimiter:
59b63a G 5af3107aba69 G 0 G 46
Only the second value was important. The value was an ID associated with the address that the invitation was sent to in hex. A Facebook user’s numerical ID could be put as this value and their primary email address would be displayed. A user’s numerical ID is considered public information and can be obtained from the source of their profile or through the Graph API.
http://www.facebook.com/r.php?re=245bf2da75118af20d917bdd34babddb&mid=59b63aG5af3107aba69G0G46
Changing the re parameter did nothing; however, changing parts of the mid parameter resulted in other addresses being displayed. Taking a closer at the parameter, its value was actually a string of values with “G” acting as a delimiter:
59b63a G 5af3107aba69 G 0 G 46
Only the second value was important. The value was an ID associated with the address that the invitation was sent to in hex. A Facebook user’s numerical ID could be put as this value and their primary email address would be displayed. A user’s numerical ID is considered public information and can be obtained from the source of their profile or through the Graph API.
In other words, if you replaced that part of the “mid” parameter with the hex value of a different Facebook users’ numerical profile ID, you would be shown their primary email address.
Facebook profile IDs aren’t secret. You can get them easily via sites like Find My Facebook ID or from Facebook’s own profile directory.
Indeed, it’s possible to imagine how someone interested in grabbing the email address of *every* *single* Facebook user could write a script to trawl the profile directory, turn each ID into hex, and then use the modified URL to ultimately scoop up each address.
It’s easy to imagine how a database of such email addresses could be abused.
Fortunately, Stephen Sclafani has some ethics. And rather than try to make a big splash by publishing details of Facebook’s embarrassing flaw, he chose to disclose it responsibly to the social network. Sclafani says that Facebook fixed the flaw within 24 hours, and rewarded him $3,500 for his efforts under their Bug Bounty program.
Facebook certainly appear to be grateful that he acted in the way he did, telling me:
"We appreciate the
security researcher's effort to report this issue to our White Hat
Program. We worked with the researcher to evaluate the scope of the
issue and fix this bug quickly. We have no evidence that it was
exploited maliciously."
"We have provided a bounty to the researcher to thank him for his contribution to Facebook security."
Well done to Sclafani for finding the flaw and acting responsibly. And – although it would have been better if the privacy loophole hadn’t been there in the first place – well done to Facebook for fixing it so quickly after being informed.