A security researcher has made public a Facebook vulnerability exposing millions of user email addresses after Facebook allegedly dismissed the exploit when he reported it to them. Ars Technica has viewed a video created by the researcher demonstrates the exploit:
A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher—who said he went public after Facebook said it didn’t think the weakness he found was “important” enough to be fixed—fed the tool a list of 65,000 email addresses and watched what happened next.
“As you can see from the output log here, I’m getting a significant amount of results from them,” the researcher said as the video showed the tool crunching the address list. “I’ve spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts.”
Facebook said this in response:
In a statement, Facebook said: “It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings.”
A Facebook representative didn’t respond to a question asking if the company told the researcher it didn’t consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video.
But here’s what the researcher said about how Facebook responded to his initial report:
The researcher, whom Ars agreed not to identify, said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that “they [Facebook] do not consider to be important enough to be patched.” Earlier this year, Facebook had a similar vulnerability that was ultimately fixed.
“This is essentially the exact same vulnerability,” the researcher says. “And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it.”
Total #Fail for Facebook. But the #Fail gets worse:
An email Facebook inadvertently sent to a reporter at the Dutch publication DataNews instructed public relations people to “frame this as a broad industry issue and normalize the fact that this activity happens regularly.” Facebook has also made the distinction between scraping and hacks or breaches.
This is now an #EpicFail because it is clear that Facebook doesn’t care about its users and protecting them. If this combined with Facebook’s other #EpicFails doesn’t make you want to #DeleteFacebook, nothing will.