Facebook Fixes Privacy Bug

Aug 13th, 2010 | By technologynews | Category: Technology

Facebook has fixed a bug that could have been abused by someone
looking to get their hands on the full names and photos of users.

Atul Agarwal of Secfence Technologies posted information about the issue to the Full Disclosure mailing list Aug.
11. If someone entered a users e-mail address and the wrong
password in the log-in page, the site coughed up the users full name
and profile picture in addition to an incorrect password message.

Sometime back, I noticed a strange problem with Facebook, I had
accidentally entered wrong password in Facebook, and it showed my first
and last name with profile picture, along with the password incorrect
message, Agarwal wrote. I thought that the fact that it was showing
the name had something to do with cookies stored, so I tried other
e-mail id’s, and it was the same. I wondered over the possibilities,
and wrote a POC tool to test it.

The problem could have been exploited for social engineering purposes by phishers, or used to verify random e-mail addresses by checking them against Facebook, Agarwal added.

In a statement, a Facebook spokesperson said the bug has been
fixed, and added that the site’s policy prohibits anyone from
scraping it for information.

We have technical systems in place to prevent peoples names and
profile photos from showing to unrelated users upon login, but a
recently introduced bug temporarily prevented these from working as
intended, according to the spokesperson. We remedied the situation
swiftly.

Earlier this year, Facebook revamped its privacy controls in response to criticism, and recently moved to extend those controls to users of the mobile version of the site.

Full Text RSS Feeds | WordPress Auto Translator

Tags: , , , , , , , , , , , , , , , , , , ,

Comments are closed.