In an e-mail message posted to the Full Disclosure mailing list, Atul Agarwal, a security researcher and CEO of Secfence Technologies, describes how Facebook can be prompted to reveal user names and profile pictures even when user privacy settings have been set to conceal this information.
Agarwal says he discovered the issue when he accidentally entered an incorrect password while trying to log into Facebook.
The site proved to be too helpful, returning a user name and profile picture along with the supplied e-mail address, even though the password was incorrect.
As a result, a malicious user can learn the Facebook user names associated with valid e-mail addresses.
"Facebook users have no control over this, as this works even when you have set all privacy settings properly," wrote Agarwal. "Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies."
Agarwal created a proof of concept script to demonstrate how this flaw -- presenting user information before applying privacy settings -- can be used for data harvesting.
Elaborating on Agarwal's find, another mailing list contributor, Javier Bassi, observed that Facebook's helpfulness goes even further: It will suggest a valid user name, profile picture, and e-mail addresses when supplied an e-mail address that's incorrect but similar to a valid one.
While such automated corrections may be helpful, they can also be misused.
Beyond the privacy failure, the ability to associate real names with e-mail addresses can make phishing attacks more effective. And the ability to generate valid e-mail addresses from random guesses can be used to build spam lists or conduct reconnaissance about users with e-mail accounts from a particular company or domain.
A Facebook spokesperson said the company is investigating the issue.
Update: After this story was filed, a Facebook spokesperson responded with the following statement:
"We have technical systems in place to prevent people’s names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended. We are already working on a fix and expect to remedy the situation shortly. Please note that our Statement of Rights and Responsibilities (http://www.facebook.com/terms.php) dictates who and how public information can be accessed, and we prohibit people from scraping our site."