Facebook Bug Could Give Spammers Names, Photos

angry tapir writes with this excerpt from an IDG report: "Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs. It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special 'Please re-enter your password' page, which includes the Facebook photo and full name of the person associated with the address. A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic."

This flaw is no longer available

[SplatMan_DK]

This flaw is no longer available on Facebook logon pages.

In fact it was removed before this story made it to the /. front page.

It was removed approx. 11 hours after the first public articles about it.

- Jesper

Re:Not The Only Problem

[creat3d]

You can set your profile not to be searchable by email address.

Return vs. Fresh Login

[Kelson]

Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before.

That does seem to be the case. I just tested it on two browsers, one of which I don't use with Facebook.

On the browser that I don't use with Facebook, the "Please enter your password" screen did not include a name or picture.

On the browser that I do use with Facebook, and had just logged out seconds before, my name and photo did appear. However, if I entered someone else's address, the name and photo did not appear. Just for kicks, I tried two email addresses, one of which I know does have an account and one of which I know doesn't. Facebook *did* tell me which one was not associated with an account.

A spammer isn't going to have your cookies, so they won't get your name and photo. But they can confirm whether you have a Facebook account or not.