It's supposed to be a "feature" :). Cool stuff you found this out.
On Wed, Aug 11, 2010 at 11:06 AM, Atul Agarwal <a...@secfence.com> wrote: > Hello all, > > Sometime back, I noticed a strange problem with Facebook, I had > accidentally entered wrong password in Facebook, and it showed my first and > last name with profile picture, along with the password incorrect message. I > thought that the fact that it was showing the name had something to do with > cookies stored, so I tried other email id's, and it was the same. I wondered > over the possibilities, and wrote a POC tool to test it. > > This script extracts the First and Last Name (provided by the users when > they sign up for Facebook). Facebook is kind enough to return the name even > if the supplied email/password combination is wrong. Further more,it also > gives out the profile picture (this script does not harvest it, but its easy > to add that too). Facebook users have no control over this, as this works > even when you have set all privacy settings properly. Harvesting this data > is very easy, as it can be easily bypassed by using a bunch of proxies. > > As Facebook is so popular, some implications - > > 1) Someone has a list of email address that he has no clue about. He can > feed them to Facebook one by one (or in a list, using a script like this) > and chances are that he'll get more than 50% hits. Useful for phishing > attacks (People will get more convinced when they see their *real* names). > > 2) One can generate random email addresses, and *verify* their existence . > Hint: You can generate emails using (common names + a corporate domain), and > check them against Facebook. Might come handy in a Pentest. > > Rest is only left up to one's imagination. > > Find the POC script attached. > > PS: I did not report this, as I am unsure on what to call it, a "bug", > "vuln" or a "feature". > > Thanks, > Atul Agarwal > Secfence Technologies > www.secfence.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/