A security researcher has uncovered a security vulnerability in the Facebook social media service that allows anyone to gather the private email address of any user.
Facebook Email Harvesting Made Easy
The security researcher Tommy DeVoss discovered a security bug in the Facebook social media service that allows anyone to gather the private email address of any other user. The bug was disclosed via the company’s bug bounty program which awarded DeVoss the sum of 5000 US Dollars. One of the characteristics of this type of bug disclosure is the requirement of objectivity. This means that the Facebook engineers have confirmed that the bug is legitimate before releasing the payment to the bug bounty hunter.
The security issue involved the use of the user-generated Facebooks Groups feature. The research uncovered that group administrators could grant any active Facebook members administrative privileges using Facebook’s systems. However the invitations requests are routed through the primary email address associated with the relevant user accounts.
In cases where the users have opted to hide their email address the social service was not able to hide it. DeVoss discovered that when he canceled any pending invitations he is able to view the full email address. This is visible from the mobile version of the Page Roles tab. The email addresses are clearly visible in the plaintext URL that is sent to the user.
The Implications of The Facebook Vulnerability
Email harvesting is a criminal activity that is widely used in various large-scale botnet attacks. Many of the famous ransomware families generate millions of dollars of income generated by blackmail and extortion. The majority of the computer victims have been infected due to an email message that contained personal information. Using the Facebook username and the primary email account associated with it an attacker or a hacker collective can devise a very dangerous campaign that can potentially compromise millions.
Facebook has confirmed the bug and has stated that it is actively working on a solution to the problem. Fortunately no attacks that leverage the issue have been reported.
For more information on the issue you can read DeVoss’s detailed blog post.