back to article Facebook bug spills name and pic for all 500 million users

A bug in Facebook's login system allows attackers to match unknown email addresses with users' first and last names, even when they've configured their accounts to make that information private. The information leak can be exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Grenade

    Investigations

    With all the kerfuffle about what Google do and how they do/don't keep information secret, I really hope/wish the same political pressure would be brought to bear on Facebook. I think they're far more irresponsible than Google.

    1. Stuart Castle Silver badge

      Facebook worse than Google.

      Facebook aren't really.

      Not until they store your complete email archive (even corporate or school/uni email may not be safe as a lot of companies outsource email storage to Google), together with photos and locations of everywhere you go (including your home), together with your search history and browsing habits.

      And yes, apparently if you *ever* sign in to to any Google Service, they do log your search history, and any site using Google Adwords will be logged and tied to your ID.

      The major difference between Google and Facebook with regard to data storage is simple: Any data on Facebook is put there by you, so you know about it. Google store data on you without you even being aware of it.

      Regarding this bug, I don't know that I am bothered. The only email addy I have on my Facebook (in fact the only non-facebook contact method I have on my facebook profile) is a hotmail one I set up years ago purely to collect spam. My name is publically accessible regardless of whether it's on Facebook or not. It's even at the head of this post.

      1. Jimmy Floyd
        Boffin

        "apparently"

        I love that word "apparently" - it allows me to project opinion as fact. I'm sure you're more sensible, but some evidence to support your statement would make it's verifiability more ... apparent.

      2. JamesR87

        Apparent Unawareness

        I'm curious why you draw the line at "I only signed up to a service", the user has still made a concious effort to join the Google crowd. Should they decide not to then they can forgo all the privacy concerns you listed.

        At least, to date, none of my private sales/searches/emails have been susceptible to theft because of Google and yet numerous personal details will have been leaked by Facebook's poor privacy standards.

        I don't see why they'd allow applications access to profile information anyway, it's just not necessary for the vast majority of typically used services.

    2. Dave Rickmers
      Big Brother

      At Least Facebook Asks

      They don't pretend to be anything but a leaky cross-reference (and great conduit for disinformation). The Googs act all noble and benevolent while leading us to their vision of cloud based cyber-utopia.

      1. Daniel 1

        Really?

        You've asked Zuckerberg this, himself, then, and he replied "Honestly, Dave, I don't pretend to be anything but a leaky cross-reference."

        Did he go on to explain how a leaky cross-reference can end up being worth $4 billion, because I'd like to know.

        1. Gordon 10 Silver badge
          FAIL

          50p and a bag of marbles.

          as would we all. Bottom line its worth about its current revenue streams and nothing else.

  2. Anonymous Coward
    Grenade

    What will the neighbors think?

    Damn, I got some facebook links, I wonder if I should ban facebook.com as a rogue website? To protect MY OWN users.

  3. Anomalous Cowturd
    Joke

    I wouldn't be surprised

    to see this bug exploited in shorter order.

    YMMV.

  4. JaitcH
    WTF?

    Ain't technology wonderful - especially Facebook

    It was Shakespeare who gave the line: "For tis the sport to have the enginer Hoist with his owne petar" to Hamlet in 1602 - for an explanation see: < http://en.wikipedia.org/wiki/Petard > - and Facebook is a wonderful example.

    Facebook subscribers have no one to blame for their public exposure as the web site has behaved as immaturely as it's purported owner. There have been plenty of warnings that privacy should not be expected either by technology failings or malicious intent of the web site operators.

    If you want your privacy, don't publish your information anywhere.

    1. VinceH
      Unhappy

      Letters, Digits.

      > If you want your privacy, don't publish your information anywhere.

      Quite right.

      FWIW, my most of my Facebook account is as open as a hookers legs, because I don't consider anything I put there private - some of my basic information is set as private, but the information I absolutely do not want shared isn't on Facebook to begin with.

      I would like to take Atul Agarwal of Secfence Technologies to task, though - the article quotes him as saying "Facebook users have no control over this, as this works even when you have set all privacy settings properly" - I have set all my privacy settings "properly" but that's with a definition of properly that differs from the one in that quote. "Properly" means they are set how I want them to be set, but in the context of the quote it means everything is locked down for absolute privacy (or whatever value of the word privacy applies when it comes to Facebook).

      To be totally honest, it annoys me when people lock things down like that - how in the holy hot-rodding hell am I supposed to work out if the Joe Bloggs I see on Facebook is the Joe Bloggs I used to know, when I can't see where he lives, who his friends are (and who our mutual friends are), and so on. But that's heading off topic somewhat. :)

      1. Shannon Jacobs
        Big Brother

        Joe Bloggs, is datchu?

        That one's easy. You send him a message and include some of the shared information.

        You agreed with the comment about protecting private information by not giving it to Facebook. Not so. Trivial counterexample: One of actual friends (not to be confused with the debased sense of "Facebook Friend") posts a group picture and captions your name. Ugly (but not nearly the ugliest possible) counterexample: Scammer steals some of your personal information and creates a fake Facebook page in your name to scam your friends.

        Facebook is a REALLY bad idea.

        Someone needs to create an alternative system that starts from a Golden Rule of Privacy Principle. If you want to see some of my personal information, you have to agree to share the corresponding personal information with me, and we BOTH have to agree in advance before any actual information is exchanged.

        Privacy Protection Corollary 1: My personal information should belong to me, NOT Facebook or Microsoft of Google or Apple or ANY other humongous corporate monster, and I should be able to make them delete the entire package of MY personal data at ANY time for ANY reason. (There should be a download option, and they can include checksums to prevent tampering.)

        Privacy Protection Corollary 2: If my personal information belongs to me, unauthorized gathering should be a presumptive crime. In the Facebook-type of situation, they are acting as authorized guardians of my privacy, and they should watch for and go after harvesters with the biggest lawyer holding the biggest stick possible.

        1. VinceH

          Letters, Digits.

          > That one's easy. You send him a message and include some of the shared information.

          Not so easy if their settings prevent this - you can choose to receive messages only from friends. You can attach a message to a friend request, which can be locked down as far as friends of friends, IIRC, but then being able to send such a message assumes you do have mutual friends on Facebook - which might not necessarily be the case, if the other person has only recently joined. Or it could be the case if the person is a nasty mean grumpy bastard like me who at one point got so pissed off with his friends and family proliferating panic-status updates and so on that he deleted everyone then started again.

          > You agreed with the comment about protecting private information by not giving it to Facebook.

          > Not so.

          Yes, yes I did - and I stand by that.

          > Trivial counterexample: One of actual friends (not to be confused with the debased sense of > "Facebook Friend") posts a group picture and captions your name.

          You can caption any picture, anywhere, with anyone's name, so I fail to see the relevance. If you mean tagging, which is slightly different, then if someone tags your name such that it is linked to you, you can detag it - and they won't be able to tag it that way again. They can tag it without linking it - but that's really no different to a caption.

          > Ugly (but not nearly the ugliest possible) counterexample: Scammer steals some of your

          > personal information and creates a fake Facebook page in your name to scam your friends.

          Interesting concept, but unless someone joins Facebook and connects with their friends and family on the site without ever mentioning it to those they are in contact with currently, in the real world (which somehow seems natural to me, but maybe I'm just a little bit crazy) then I think it's a non-starter.

          Only once someone has established contact with a good number of their current real world friends and family should they be thinking about contacting people they once knew, a long time ago, IMO - but then that brings us back to your first argument; about contacting people and asking if they're the Joe Bloggs I knew from x years ago: If that's a scammer, pretending to be Joe Bloggs, then he might say yes anyway intending to scam me. Having an open friends/mutual friends list is therefore more secure by your own example, isn't it?

          > Someone needs to create an alternative system that starts from a Golden Rule of Privacy Principle.

          Good idea. Let me know when you've got it up and running, and I'll think about joining it.

      2. Rob Dobs
        Happy

        You could ask

        I don't want to share my face, email etc with someone just because they knew someone with a similar name (especially bad for common names).

        If you want to know if he is the person you are looking for send an email/invite to find out.

        If they are the proper person and they want to talk they can respond.

        I got along with everyone OK, but I can see how some people just wouldn't want to be looked up by some of the people they once knew.

        concerns about corporations holding lots of personal info always gets easily chalked up to paranoia, but having companies like Google and Facebook unchecked is scary. History is full of examples of those with power abusing it. Can you imagine what Stalin or Hitler could have done with such tools? Are modern democratic countries totally immune to falling under the power of a dictator like these goons? (remember facts seem to show Bush ruled the US unelected for 8 years) Something as simple as a name or picture, can show you complexion, race and names alone can give sometimes give an ethnic heritage.

        The US Constitution provides a strong legal protection for privacy, and the forefathers were wise enough to see the perils of the state (or any org) holding too much information over people, though they would spin in their graves at the nanny state we have become.

        We should hold our congressmen responsible for making legislation that would force ALL internet companies to allow users to review their own data that is held, and have the chance to opt out of such reporting. The credit bureaus were finally forced to pretend to do this, and now we have at least a little control over the data they hold over our lives. Its time Google and Facebook are reigned in and forced to respect the right to privacy (looking at Google here, for all its problems Facebooks seems to be trying, they just are guilty of being shitty web site coders. (not a good resume builder these days, web site coder for facebook)

        1. VinceH

          Letters, Digits.

          > If you want to know if he is the person you are looking for send an email/invite to find out.

          Like I said in reply to Shannon, that's not always possible, depending on their settings.

          As you say, though, it could be that they don't want to add old acquantances as friends on Facebook - which is fair enough, each to their own, etc, but surely it makes more sense for those old acquantaces to be able to identify them as, well, them, and try to make contact, at which point they can say "Yes, I am indeed the person you think, but I don't want to add you as a friend on Facebook" - rather than leave them wondering "Is that him, or not?" (and possibly look again, and again, or pester other people with the same name...)

          (The only people I can reasonably understand that level of lock-down are celebs and what not, who don't want to be constantly receiving messages and friend requests from plebs.)

    2. Mark O

      Private or published?

      I'm amazed at what people will unwittingly publish. Like many people I use a hotmail account for facebook, and keep this isolated from anything serious I do online (banking, etc.) When I first signed up to Facebook I used one of it's tools to search for friends using my hotmail contacts. It found a recruitment agent I'd been in touch with and she used a pretty raunchy photo of herself as her main profile pic and was quite explicit in the personal details she made visible - all of this linked to her corporate email address.

  5. Ramshackle

    Explain

    "Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies."

    What can be bypassed exactly? It doesn't mention any security measures that would need bypassing. Sounds like a mountain out of a mole hill given how most people have their full names either in or linked to their e-mail addresses these days. If you've got an e-mail address you want to use for some anonymous purpose why the hell would you sign up to facebook with it?

    1. Lucas S. Bickel

      obvious

      This ones easy, If you would try this using just one IP you'd be banned shortly for failing to login over and over. If you try the same thing from behind over 9000 proxies their IDS would not notice and you don't get a ban.

      The IDS thing is probably the one thing that Facebook got right security wise. On the other hand it is to harsh for my taste sometimes. It's not like I'd put anything I consider worth something on Facebook.

  6. This post has been deleted by its author

    1. Combat Wombat
      Boffin

      Doesn't

      MS own a 30% stake in FB already ?

      1. MrT
        Alert

        Is that 30%...

        ... of the total, or just the bit that Zuckerberg doesn't owe to the firewood merchant? Did MS buy the stake from Paul Ceglia, along with a batch of other 'anti-Jobs' devices (assuming Ceglia does a line in silver bullets and that van Helsing is on staff to supervise handling of the stake)?

  7. The Druid
    Go

    Heh Heh

    All those people with rude Hotmail addresses!

  8. Number6

    What email address?

    I use a unique-to-Facebook email address so I don't think anyone would manage to guess it. Even if they do, the picture isn't of me.

    1. nickrw
      Thumb Up

      Re: What email address?

      yay.for+suffixes@facebook.com

    2. Daniel B.
      Happy

      It was a good idea, then.

      My surname in FB is mangled precisely because of privacy issues.

  9. Anonymous Coward
    IT Angle

    Bloody ridiculous

    Just tried it out on myself and it obligingly throws up my name and face. Mind you I don't look like that anymore, so nothing much revealed. But really : how juvenile are these people? There's no excuse for this sort of error. I'll give them 24 hrs to fix it and if not, I'm closing my account down - assuming I can find out how!

    IT? I'm not sure they've heard of it.

    1. a53

      leaving facebook

      You can now remove yourself. And you get an email confirming this and begging you to come back.....

      1. Anonymous Coward
        Anonymous Coward

        begging

        They can beg all they like - I won't be back. Reading the posts below, it seems they deliberately want to make it easy to get in, even at the expense of security (do they know what that means?). Dorks.

    2. Anonymous Coward
      FAIL

      doesn't help much

      I removed myself long ago (years) and they still have my full name, if not my old dp. I'm half tempted to sign up, change my name to "Bugger Off" and kill my account again.

    3. dssf

      Before you CLOSE it down...

      Systematically go through ALL of your posts, then replace them one by one with rubbish. Nothing maliciouis, just rubbish. Rathern than delete them first, replace with rubbish, then leave them a few months to make sure fb doesn't resurrect zombies from your past. Rather than delete or close your account, change the contact information to some other dead-end mail address. Do that several times a year until whomever is buying YOUR information considers the "buy" worthless to them. If enough people do this, it'll force fb to come up with more algorithms to re-match information. Also, it'll probably poison the pool.

      Unfortunately, for those who've posted 3,500+ articles, it'll take quite a long time, even at 10 notes or posts a day, to subvert/destroy the value in their profiles.

      (This is the same idea i had since the early 90s with win 3.1: rather than delete files outright, change the contents and save as the new name. This should (theoretically) destroy the bits that were in the original file. But, later, better schemes arrived. However, in the case of fb, your data eviscirating plan is always at the mercy of fb being on the lookout. I've already noticed that going farther and farther back in ones own posts takes a bit of time. Either they've got super busy servers, or they've caught on and are making it too painful for profile subversion.)

  10. Pablo
    FAIL

    Wow, that's dumb

    Security conscious login systems won't even reveal whether an account exists if you don't provide the correct password, the standard response is something like "User name or password is invalid." Admittedly that is a little bit annoying, so they might be excused to doing away with that security measure. But to actually reveal information about that account is idiotic, and when they combine it with a system where something widely known like an email address functions as the user name, that pushes this into Epic Fail territory.

  11. Jeremy 2
    WTF?

    Sounds like a case of...

    ...it's not a bug, it's an undocumented 'feature'.

    If you read the disclosure thread, it gets worse - it auto-corrects email addresses too so you only have to get the email address 'nearly' right and it'll turn over the real one. Works too, just tested it by adding an extra letter to my wife's login email address and specifying a completely incorrect the wrong password. Result? Corrected version of her email, full name and a really cute photo of our cat.

    What next? "It looks like you made a slight misspelling in your password... but that's OK, we trust you!" ?!?!

  12. Anonymous Coward
    Anonymous Coward

    Bug?

    It's not a bug, it's by design. Shitty design, but design none-the-less

  13. Anonymous Coward
    Unhappy

    Interesting

    Is this a new discovery? It would explain the two people with West African names who wanted to be Facebook friends with 4gnes Slapp3r..

    AC for obvious reasons.

  14. johnvile
    WTF?

    Am I bothered?

    How many people actually use there real name on facebook?

    Or the internet for that matter.

    Why would you? It's bad enough in the real world without letting them get you in the cyber space.

    call me tin foil Tracy but I still prefer to make up names on the spot. Facebook was no exception.

    1. Geoff Campbell
      WTF?

      I do

      I use my real name on line all the time, on all systems(*) I'm registered on, and have done since the early '80s. It's who I am, why would I not? Security is not vested in false names.

      (*) General systems, that is. There may or may not be one or two specific systems on which I really, really don't want to be identified where I might or might not use a pseudonym.

      GJC

  15. Captain TickTock
    WTF?

    Surely this is not new...

    It's just taken a while for someone to notice...?

  16. Electric Panda
    Big Brother

    Old news

    I saw this happening a couple of weeks ago, but thought nothing of it and assumed Facebook were happy with how things were. After all, most Facebook users aren't massively tech savvy and believe that the way Facebook has things set up benefits them wholeheartedly.

    The security implications were immediately obvious and this feature is poorly designed. It seems to allow you to make minor mistakes in your e-mail address, and it auto-corrects for you?? I smell phish.

    Ludicrous. I predict this being changed/patched within days given Facebook's already less than favourable public image.

  17. A handle is required
    WTF?

    Wow.

    That is all.

  18. DEAD4EVER

    facebook

    oh dear me facebook is not having a good time even im registered on it i hope my email address isnt shown or in the hands of attackers there the biggest bunch of idiots that infect the internet today. hackers have nothing better to do there sad all i can say is facebook better get there act together fast

    1. This post has been deleted by a moderator

  19. Glen Turner 666

    Errata needs to be free too

    So was this a silent fix, or did Facebook document the bug and the dates it was extant for?

  20. Alexander Rogge

    Best privacy policy

    The best privacy policy is to assume that anything that you publish on Facebook is public. Get rid of the "privacy" settings and control your own information. None of these companies can be trusted to keep information hidden, so why try? I got a Facebook account to be more public. That was the whole point of social networking. If you want to keep information semi-private, while still risking information theft, get your own Website that you can control.

    1. brianlj

      Re: Best privacy policy

      "The best privacy policy is to assume that anything that you publish on Facebook is public."

      Exactly the way it is with Twitter. If you post something on Twitter, you should realise that it can be seen by ANYONE. That certainly tempers what I say on there.

      It didn't stop Paul Chambers being shafted by the CPS at his #TwitterJokeTrial though.

  21. WoodyZeldaB
    Thumb Down

    Great: a “bug”

    Great: a “bug” on Facebook that compromises our privacy. Whoop tee doo...

    Truth is, Facebook is far from motivated to protect users’ privacy. That’s because it generates revenue by studying the online activities of its members and selling this information to advertisers and marketers hoping, in turn, to sell those users something.

    There is a new privacy- and security-based social-networking site on the way, however, where the user is in complete control of all private information. ZeldaB does not allow advertising nor does it monitor, capture or keep your information, so predators, spammers and window peepers are kept away with strong, built-in, 256-bit security that confirms the identities of each and every member.

    Check it out at www.zeldab.com

  22. Anonymous Coward
    Anonymous Coward

    What bugs me more...

    ...is that _anyone_ can see your profile pic these days. To stop that I either have to make myself unsearchable, or not have a profile pic. Annoying.

    1. dave 46
      Badgers

      Thats the point

      You are searchable, but blow me down with a feather there might be two people in the world with the same name!

      No really!!!!

      So you put your town and your picture so people know who it is. They can find you.

      If you don't want people to find you (who know you name, town and what you look like - obviously wierdos) then don't make it searchable.

      Hell just don't have a facebook account, please.

  23. breakfast
    Unhappy

    Holy cow!

    This is pretty scary for me- I've done everything to keep my identity secret in the email address I use for facebook. Now anyone who wants to will be able to figure out my name, if they only know my email address "firstname@firstnamesurname.com".

    1. Rob Dobs
      FAIL

      Funny but Glib - however you fail to see the risk

      Ok, try this example:

      You have a Facebook account: you in good faith (don't laugh) place your real name and photo on the page and make them PRIVATE, but you use a fake name for your facebook alias, so that you can make anonymous comments online. You then go and write a long rant online using this alias name, about how much you hate George Bush, and what a bad criminal president he was etc etc.

      Then this little facebook bug gets publicized, and your boss (who is just peachy for Bush) decides to find out who this infamous bush hater is, and wow now your fired. Sure its illegal to fire someone for that reason, but they don't have to tell you why.

      Or say your not badmouthing, but just speaking up about how much you enjoyed a day related to a religious ceremony. A bug like this could be used to identify people of certain religions, races, beliefs etc. Once you know a name and face it is much easy to run smear campaigns, or simply eliminate and opposition (more importantly eliminate the vocal head of your opposition).

      Just because you use your full name as your email address does not mean that other people do not, or have a valid reason too. Further when you sign up and use a service that purports to keep some of this information PRIVATE - you do not expect them to go out and serve it up to ANYONE who requests it anonymously online.

  24. Lickass McClippers
    Paris Hilton

    Brilliant...

    So assuming they get my name right, few people do, they'll be presented with a picture of a fox licking a window, next to my email address...

    /\ /\ /\ I'm not saying she's a fox, but I suspect she's licked a window or two...

  25. BigSteve

    who can you trust theses days anyway?

    Surely if you dont want anyone knowing something just dont put it on there.

    I've 2 email address, 1 for logging into things (including facebook) that I never give out & 1 I give out to people (a msn one) & I set my profile to 'friends only'.

    After puting my msn email address on facebook a day later someone had tried hacking into it - nice to know what my 'friends' get up to in their spare time :-)

    Besides which theres other ways to find things out - I once came across a loop hole on ebay were you could use someones email address to see the things they had bought & bidded on.

  26. Anonymous Coward
    FAIL

    Removing yourself from FB

    thinking about it wouldn't the best way to get your account removed is to post pics and language that breaks FB policies, or have a number of friends send in "complaints" about you, that way the FB team themselves will lock and remove your account + details.

    Just a thought, has anyone tried this?

  27. Anonymous Coward
    Anonymous Coward

    Wow.....

    Given that my full name is in my email address and my FB profile pic is that of a Stormtrooper Mr Potato Head (tm) I don't think I'm going to spend too many sleepless nights worrying about this.

  28. David Barrett

    exploit?

    Im not sure if some one has already pointed this out.. But to call this an exploit is a bit of a stretch.

    FB has always done this (Well at least as long as I have been using it) and as far as I can tell its the designed functionality when you try to log in it shows you a picture and your name.

    Its perhaps not very well thought out because it can be used in the way described in the article but its hardly an exploit.

  29. dave 46
    Megaphone

    Choice

    You choose to join a social networking site.

    Note the 'networking' bit, it's quite important.

    You then decide to hide yourself away so nobody can find you.

    How is this networking? Shame on Facebook for allowing a bug to reveal the hiders but for me they would do better to remove the option to hide.

    You network, or you don't network - stop taking up dead bytes just so you can feel special.

  30. AceRimmer1980
    Black Helicopters

    My Facebook settings are set properly

    I don't have a Facebook account.

  31. OffBeatMammal

    wonder if this explains the flurry of spam friend requests last night

    had an absolute flurry of spammy friend requests last night to both my usual FB email account and a secondary one that seemed legit because they had my name as it appears on FB and even some "mutual friends" populated... (who, not surprisingly were not actually connected)

    all these where from profiles that were just a link to a pornbook site.

    luckily the profile picture was of someone I'm sure I would have remembered if we really were friends so I checked before confirming.

    the tide of crap is rising and the internet will drown!

  32. Anonymous Coward
    Anonymous Coward

    remeber

    Remember FB was created by some daft student who wanted to arrange a piss up with other students, and swap pics of their debauchery but didn't want to spend the money sending texts / MMS.

    From its initial inception, it was a tool to share information with all and sundry.

    So if the point is to share and be open, the whole privacy issue is contradictory.

    Wouldn't touch it with a barge pole. I can speak to my mates using a phone, I can share anything via email / IM / file transfer, god pick a utility!

    The point is, if you're stupid enough to live your life on FB, you deserve to be ripped off, chewed up and spat out. And it's only time before 100's millions of users are seriously affected by their need to use FB.

    Watch me laugh, and laugh, and laugh..............

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022