back to article Facebook plugs email address indexing bug

Incident-prone social network monolith Facebook has plugged yet another security leak, this time involving the indexing by search engines of email addresses not listed on Facebook. Thousands of email addresses submitted using Facebook's "Find a friend" feature that were not tied to a Facebook account wound up getting indexed …

COMMENTS

This topic is closed for new posts.
  1. Tom 15

    Well...

    That's the problem with open infrastructures like Facebook's, as soon as you introduce user controls for privacy and permissions then you add the ability for lusers to get these things wrong. Somehow with Facebook being a website though they get a lot more stick than Microsoft do for the same issues on the Desktop.

  2. Doc Spock
    Stop

    Umm...

    "Facebook changed its robot.txt file to prevent the search engine from indexing the relevant "opt out of emails from Facebook" page so that email address data can no longer be harvested by spammers or other miscreants."

    What's to stop the spammers, etc from writing their own web-crawler which simply ignores the robots.txt file? Such a move is hardly beyond the scope of most semi-organised gangs.

    1. Anonymous Coward
      Anonymous Coward

      "Such a move is hardly beyond the scope of most semi-organised gangs."

      Yes but when Zuckerberg's advisers tried to explain that to him, using lego models and everything, they found that it was well beyond the scope of Mark's understanding - and gave up.

    2. TeeCee Gold badge
      Joke

      Re: Umm...

      Yup, too difficult to fix properly, so work around it.

      Change the form header from "Opt out of emails from Facebook" to "Opt in to emails from absobloodylutely everyone except Facebook".

      That should do it.

  3. Anonymous Coward
    Anonymous Coward

    Becoming a bit of a FarceBook

    So the bugs are piling up, some days and weeks s**t happens, that's the nature of IT.

    BUT the users gave Facebook their email addresses, they typed them into a form at some point, even if they did not want them published. Bit of blind faith here.

    When will people learn that when you give information to another party, you also give them total control. Even if they are not malicious, they may, like the DVLA, sell it, or give it to 'partners' or just plain lose it.

    Whatever you type in to websites, (or even local applications), you are trusting the other party not to screw up or screw you over.

    1. Anonymous Coward
      Anonymous Coward

      Re: Becoming a bit of a FarceBook

      "BUT the users gave Facebook their email addresses, they typed them into a form at some point, even if they did not want them published. Bit of blind faith here."

      Actually, the problem is that _other_people_ are entering your e-mail address in the hope of finding you on facebook. And when no match is found (because you haven't given facebook that info), search engines were still able to index your e-mail address.

      This is not a problem caused by the users - even if you didn't have a facebook page, your e-mail address could still be indexed.

    2. Skip

      Err, no...

      ...it was the feature where someone else gives your email address to Facebook, to be told when (or if) you join Facebook. So no action from you, just your (so called) friend.

      Personally, I'd hope my friends would never submit my email address anywhere without checking with me first, but Facebook does make it very easy by offering to "Search your email for friends already on Facebook". And no doubt FB keep all the addresses they find, just in case...

    3. Anonymous Coward
      Anonymous Coward

      Re: Becoming a bit of a FarceBook

      You'd hope that the likes of the DVLA has opt-in/opt-out boxes as to not sell our info to any Arthur Daley type.

      Although having said that, what with the election having recently happened, plenty of Arthur Daley's seems to have bought the election register GRRRRRR! and I'm including policial parties there!

      But plenty of spam for all these poor people having their email listed, surely the ICO should get involved ... download it to a USB for a NHS or MOD employee to have stolen from their car, which later is stolen.

  4. Law
    Happy

    It's just not your month, is it, b*tch?

    Fixed it for you - I thought it was the done thing for all things facebook?

  5. Paul Ryan

    They definitely record email searches.

    I've never used Facebook, but I've gotten the occasional invitation to join. What bothers me is that it 'suggests' people as friends to contact. The people in question are indeed people I know, but to my knowledge have absolutely no connection other than that they know me, and presumably have all done a search on Facebook for my email at some point.

  6. uchu
    FAIL

    robots.txt is not a security protocol

    Just like doc spock relates above.... robots.txt is not a security protocol.

    And it's not just miscreants, major search engines reserve some rights to still spider (but not include in their public index) stuff that they are told not to look at via robots.txt. And there's all the silly parasitic bots appearing in the Amazon cloud, goober bots like 80legs, and all the corporate sponsored bots that tend to ignore robots.txt entirely.

  7. Mike Kamermans
    WTF?

    how can search engines find this data in the first place?

    I'm a bit confused by the " those exposed have their so-called mates to thank for any exposure" statement... why are people who search for email addresses to blame for search engines being able to index the email address?

    Why is that email address retained in a publically accessible way by facebook in the first place?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021