Facebook Bug Could Give Spammers Names, Photos

← Back to Stories (view on slashdot.org)

Facebook Bug Could Give Spammers Names, Photos

Posted by timothy on Thursday August 12, 2010 @08:11AM from the who-am-I-again? dept.

angry tapir writes with this excerpt from an IDG report: "Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs. It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special 'Please re-enter your password' page, which includes the Facebook photo and full name of the person associated with the address. A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic."

100 of 145 comments (clear)

Min score:

Reason:

Sort:

*Smack Face* by Monkeedude1212 · 2010-08-12 08:13 · Score: 5, Insightful

Seriously? Who is freaking writing these web pages? It would have been easier to NOT include photo's and names than to build it in there!
1. Re:*Smack Face* by odies · 2010-08-12 08:15 · Score: 4, Insightful
  
  I think the summary and story is looking at wrong aspect about it too. Spammers, whatever. You're just one in a million. This is a lot more serious about people that just know your email, but are in more personal contact with you than some spammers. Website owners, forum administrator, people you meet on the internet.. Those who know your email but don't really know your real identity. That's a lot more serious privacy violation.
2. Re:*Smack Face* by Anonymous Coward · 2010-08-12 08:28 · Score: 2, Funny
  
  Seriously? Who is freaking writing these web pages?
  Probably an ex-Slashcode developer.
3. Re:*Smack Face* by mcgrew · 2010-08-12 08:36 · Score: 1, Informative
  
  It would have been easier to NOT include photo's and names than to build it in there!
  
  Dude, please learn when to use an apostrophe. We have lots of non-native English speakers here, and they may assume that your use of language is educated, seeing as how this is a nerd site and all.
  Moderators, please mod me down, I'm offtopic. Thx.
  
  --
  Free Martian Whores!
4. Re:*Smack Face* by ilo.v · 2010-08-12 08:36 · Score: 2, Interesting
  
  Who is freaking writing these web pages? It would have been easier to NOT include photo's and names
  I'm not defending their choices, but there is a legitimate reason why they would do this. Some users mistype their username, not their password. This results in a "failed login" screen. If there is no photo (or name) they may assume they have mistyped their password, and keep trying it over and over. Throwing up the picture associated with that account helps the user figure out that the reason they can't log in is because they are mistyping their username, not their password.
5. Re:*Smack Face* by Pteraspidomorphi · 2010-08-12 08:45 · Score: 1
  
  Maybe he's a non-native speaker himself ;)
6. Re:*Smack Face* by Monkeedude1212 · 2010-08-12 08:47 · Score: 1, Informative
  
  It is a bad habit I have. I'll write a sentence, then I'll read it over, and decide to change the structure entirely, then re-read it a bit to make sure it makes sense, then put it up there without looking too much at grammar.
  So if I had said something like "The photo's location" but then decided the location part is irrelevant and I could just work it around to just say "the photos" then I do so, but its all cut copy paste delete so the apostrophe reamins in place. Makes errors and I apologize.
  I also tend to form a lot of run on sentences or use too many commas, like that first sentence up there. I left it as is so you can see my general though pattern. Normally I would go back and work my sentences into something with a little more sensible flow and pace. I have found that I abuse a hyphen quite frequently - as if putting it there makes it seem like a quick pause without needing to use a comma, which is terrible I know.
7. Re:*Smack Face* by Monkeedude1212 · 2010-08-12 08:59 · Score: 1
  
  I see your point, and it is an excellent one. However, I think I would have prefered it being some kind of bug that suggests the page you are being redirected to when failing to login goes to a default page which then loads certain contols (like other facebook pages), and that it naturally shows the info when you are logged in. As opposed to a logical error that someone thought this would be a good idea and didn't consider the consequences of privacy involved with it. Not that I'm surprised with the current administration of the site or anything - nor that my preference of privacy issues being technical errors over design flaws makes any difference whatsoever.
8. Re:*Smack Face* by Abstrackt · 2010-08-12 09:03 · Score: 2, Insightful
  
  I do some of my banking with ING and they let you select a combination of a picture and phrase that's unique to you, why couldn't Facebook implement the same? All they would need is a stock of pictures for people to choose from and a text field. If you don't see your selected picture and your selected text you'd know you tried logging into the wrong account.
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
9. Re:*Smack Face* by SmlFreshwaterBuffalo · 2010-08-12 09:05 · Score: 2, Insightful
  
  I wouldn't call that a legitimate reason since that implies, well, legitimacy. Instead, it's simply a possible explanation for how they arrived at their poor choice.
  A more secure solution to the problem you pose would be to clear the user name on the "failed login" screen in addition to the password, regardless of which is incorrect. And if anyone wants to argue that having to retype both would be inconvenient, I'll preemptively counter by saying security should not be sacrificed for the sake of convenience.
10. Re:*Smack Face* by yenne · 2010-08-12 09:37 · Score: 5, Insightful
  
  I just tried it. Looks to me like Facebook has a problem with users who enter the wrong e-mail address and can't figure out why their logon isn't working. Hence, the "Not you? Click here." option beside the picture.
  It's entirely possible that the idiocy behind the interface design is in an ongoing stupidity arms race with the consumers on the other end.
11. Re:*Smack Face* by paulbiz · 2010-08-12 09:57 · Score: 5, Interesting
  
  I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address. I've received passwords and various other sensitive data. Sprint was sending me receipts for someone's very large corporate purchases, I kept replying and forwarding them to sprint's customer care and they basically told me they can't do anything about it and to just delete them and not worry about it.
  It's also amazing how many sites will not let you unsubscribe without providing some kind of personal info. Seriously? They let you sign up with the wrong address without confirming it, but I can't unsubscribe unless I know the last 4 digits of the guy's SSN?
12. Re:*Smack Face* by Pharmboy · 2010-08-12 10:03 · Score: 2, Interesting
  
  I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address.
  Glad to know I am not the only one. My yahoo email address, which I have used since the mid 90s when they started offering email (back when 9 characters was the maximum name size....) gets the same thing, legitimate "thanks for signing up" from legit companies, where some idiot didn't know their own email address. Ironically, my email address is a real oddball one, so how they would use it is beyond me.
  
  --
  Tequila: It's not just for breakfast anymore!
13. Re:*Smack Face* by yenne · 2010-08-12 10:12 · Score: 1
  
  I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address.
  My e-mail address is also my full name with a "dot net" at the end, and I have chronic issues with customer service reps who don't know how to type anything other than "dot com".
  That is pretty ridiculous about not being able to unsubscribe, though.
14. Re:*Smack Face* by Dhalka226 · 2010-08-12 10:23 · Score: 4, Interesting
  
  I had the same problem happen, with some extremely sensitive data coming in.
  In addition to somewhat mundane things like airline confirmations, hotel confirmations, etc, there were several letters about legal problems. The person they were trying to reach is apparently the head of an investment group and under investigation by the SEC. I also once received an email containing a bank account number with routing number. Usually it was sent to his (proper) business address and CC'd to my address, which I assume they thought was a personal address for him. When correspondence from lawyers starting coming in I decided it was well past time to start emailing these people and telling them to oh my god please stop. That's a can of worms I just wanted no part of whatsoever.
  I did do a quick Google search for the guy; same last name, different first name (same first initial, the combination of which is my email address). Really a problem that shouldn't have happened, especially not that many times from that many different sources.
15. Re:*Smack Face* by SmlFreshwaterBuffalo · 2010-08-12 10:31 · Score: 1
  
  I can't tell if you're agreeing or disagreeing with me, since website security and the dog & pony shows performed at U.S. airports are not even remotely related.
16. Re:*Smack Face* by RabbitWho · 2010-08-12 10:42 · Score: 1
  
  I think they tried to copy the "active neopet" login security feature on Neopets.
  
  --
  it's under construction
17. Re:*Smack Face* by ekhben · 2010-08-12 11:58 · Score: 1
  
  That's only 10,000 combinations. Brute force script it. Don't bother testing for success, just blast 10,000 HTTP requests at them.
18. Re:*Smack Face* by Piranhaa · 2010-08-12 16:12 · Score: 1
  
  Last year I had someone at the the Sierra Club having their mail being forwarded to me. The guy's name was identical to mine.
  I replied to it saying I must be getting their emails, but I guess it wasn't important.
  I got confidential email after confidential email. Even emails that "Sally was not impressed with the way you guys left the kitchen today". So I had some fun replying to some of their emails.
  It took them a few months before anyone finally fixed it - or the guy finally realized that his email wasn't (firstname)(lastname)@gmail.com
19. Re:*Smack Face* by FlyMysticalDJ · 2010-08-12 17:13 · Score: 1
  
  This really makes me wonder why the scammers out there aren't signing up for tons of generic name sounding e-mails, hoping to get people's misplaced mail. Of course, for all I know, they already do.
20. Re:*Smack Face* by Khyber · 2010-08-12 17:20 · Score: 1
  
  Posts *CAN* be edited.
  It's called 'preview' and 'continue editing.'
  While I may not be one to use it that often, I do use it now and then, and I am quite aware of it. Those unaware of it have a very narrow focus and might wish to be checked for tunnel vision.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
21. Re:*Smack Face* by Khyber · 2010-08-12 17:22 · Score: 3, Insightful
  
  This is why I do not use my name as part of my e-mail address.
  This cuts down on that problem considerably.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
22. Re:*Smack Face* by Khyber · 2010-08-12 17:27 · Score: 1
  
  If only one would combine the LOIC with a brute-force script. DDoS + password stealing all in one.
  Bet 4chan would shit themselves over that. While AES256 may take the universe suffering from total entropy before it got cracked, I bet with a good logistical separation and delegation of sections to attempt they could crack it.
  Just simply brute-forcing it would take eternity. Use a little statistics and logistics, and some proper task delegation, I'd be willing to bet that a brute-force could be accomplished within a couple of decades. Sure it would be pure luck, but a little micromanagement here would actually help with the odds.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
23. Re:*Smack Face* by billcopc · 2010-08-12 17:59 · Score: 2, Insightful
  
  I don't see what the big fuss is... it's your name. If someone has your email address, they probably have some sense of who you are. If you don't trust them with your real name, then at the very least have some forethought and give them a throwaway email address.
  Me, I'm Bill Lambert. My email address is billco@fnarg.com . Says so on my whois records. Big fucking whoop. That's what spamassassin is for.
  
  --
  -Billco, Fnarg.com
24. Re:*Smack Face* by vlueboy · 2010-08-12 18:46 · Score: 1
  
  Website owners, forum administrator, people you meet on the internet.. Those who know your email but don't really know your real identity.
  Yet another reason to hide your email on forums' public profiles.
  If FB fails to change anything, then more power to me for avoiding it. I can't believe this past two years: google improved forum indexing to the point that too much crap obscures legit searches ... spammers have also gotten real good at stealing, curating my personal data and cloning it in a way to contribute to the above "crapflood." Phone books cannot even dream of the power of the spammers for aggregating data to piece together exactly who I am and who I work for and with, even if I have no linkedIn account --think cogmap and pipl.com and so on.
  I've slowly been obfuscating inactive web accounts before even MORE data miners get them free. At least ten years ago you had to pay to find out as much.
25. Re:*Smack Face* by sodul · 2010-08-12 19:12 · Score: 1
  
  Actually it depends on what your name is. If your name is John Smith, then yes using your name for a somewhat unique identifier is a bad idea. In my case I have a 4 letters last name and it is very 'rare' (probably less than 100 people with that last name).
26. Re:*Smack Face* by Kijori · 2010-08-12 21:18 · Score: 1
  
  No, it's a genitive - the location of the photo.
27. Re:*Smack Face* by gsslay · 2010-08-12 21:36 · Score: 1
  
  I get this too. My name is not that common, unfortunately the idiots making the mistake are the same ones again and again. I'm now at the point that I can guess which idiot, as I know enough about their interests from what websites they sign up to.
  It's just as bad when they tell their friends or colleagues the wrong email address. It took me a year to convince a certain military outfit that I was not part of their unit and to stop sending me orders about next week's operations. God knows what was happening to the guy who was supposed to be getting them.
  I used to forward them on to the correct email address, or reply to the sender. Now I don't bother, automated filter, straight in the trash.
  Of course, the websites that sign people up to things without any email confirmation are just as guilty.
28. Re:*Smack Face* by JasterBobaMereel · 2010-08-12 23:53 · Score: 1
  
  Because a surprisingly large number of internet users are blind or have poor eyesight, and your system would exclude them from facebook ....Just like they are excluded from ING's website ...
  
  --
  Puteulanus fenestra mortis
29. Re:*Smack Face* by Chysn · 2010-08-13 00:18 · Score: 1
  
  It's no so much the name as a picture, I think. People are accustomed to seeing their Facebook pictures only (or at least primarily) in Facebook, and a phishing attack that involves that picture would be a lot more convincing.
  
  --
  --I'm so big, my sig has its own sig.
  -- See?
30. Re:*Smack Face* by hesaigo999ca · 2010-08-13 00:52 · Score: 1
  
  Not only that, but I take it if someone like me were to use facebook without adding pictures, but just to stay in touch, i guess you would not get much other then my online name (which is never the real name) and an empty picture box.
31. Re:*Smack Face* by asdf7890 · 2010-08-13 01:24 · Score: 1
  
  Legitimate reason: yes. Good reason: no. Commonly accepted best-practice is not to let the user know which part is wrong. Reporting that the username is fine but the password isn't makes brute-force login attempts a more practical form of attack especially where you are expecting daft users with poor password choices - and facebook themselves expects their users to be too daft to properly choose and look after their usernames/passwords hence the "enter your email address and password here and we'll look at your contacts for you!" area that is present on sign-up and occasionally lied about on wall updates (I have a couple of fake accounts that I use to check how I look to others, and fb has claimed more than once that one of those accounts "has tried the friend finder" when I know full well this has not happened).
32. Re:*Smack Face* by mcgrew · 2010-08-13 01:31 · Score: 1
  
  No, "the photo's location" is correct. It's a possessive (the other time you use an apostrophe).
  George's dog is brown, George's cat is white, George's location is unknown. The photo's contrast is bad, the photo's focus is bad, the photo's location is in the trash. If it were more than one photo it would be "the photos' locations".
  
  --
  Free Martian Whores!
33. Re:*Smack Face* by netsharc · 2010-08-13 07:46 · Score: 1
  
  I wonder how the AJAX-crazy Facebook would work for the poor-sighted anyway... I have a hunch: not very good.
  And imagine the TTS-engine:
  "Moron McDumbass needs an UZI for a Mafia Wars raid.
  Moron McDumbass needs bullets for a Mafia Wars raid.
  Moron McDumbass needs a getaway car for a Mafia Wars raid."
  
  --
  What time is it/will be over there? Check with my iPhone app!
Not a Bug by FrozenTousen · 2010-08-12 08:14 · Score: 5, Funny

It's a feature. Say you get amnesia and all you remember is your email address. Now, thanks to Facebook, you have a means of finding out your name, and what you look like!

--
I'm a popular stranger, I'm nobody famous, I'm a famous nobody.
1. Re:Not a Bug by Anonymous Coward · 2010-08-12 08:20 · Score: 5, Funny
  
  It's a very serious bug. Spammers aren't _supposed_ to be able to scrape that information without paying facebook for it.
2. Re:Not a Bug by by+(1706743) · 2010-08-12 08:25 · Score: 4, Funny
  
  It's a feature. Say you get amnesia and all you remember is your email address. Now, thanks to Facebook, you have a means of finding out your name, and what you look like!
  Imagine how much simpler the plot for The Bourne Identity would have been.
Not The Only Problem by Revotron · 2010-08-12 08:15 · Score: 4, Insightful

Fixing this alone means nothing. If you search for someone on Facebook it will show you a name and a profile picture. Sure, it requires a facebook account, but that's not too hard to create for somebody with 4,000,000 email addresses.
1. Re:Not The Only Problem by yincrash · 2010-08-12 08:22 · Score: 2, Interesting
  
  A user can prevent the profile picture from showing, and you can't search by email address (that I know of). However, this bypasses the profile picture privacy option.
2. Re:Not The Only Problem by e065c8515d206cb0e190 · 2010-08-12 08:24 · Score: 4, Informative
  
  You can search by email address. And last time I checked the only way to not show your profile picture to the world was to not have one at all.
3. Re:Not The Only Problem by TheGratefulNet · 2010-08-12 08:26 · Score: 2, Insightful
  
  I have no FB account (never will, either!) yet I can do a google cache search AND get 'goodies' on FB users that way.
  so, that's yet another hole that needs to be patched.
  
  --
  
  --
  "It is now safe to switch off your computer."
4. Re:Not The Only Problem by creat3d · 2010-08-12 08:32 · Score: 5, Informative
  
  You can set your profile not to be searchable by email address.
  
  --
  Grammar nazis are to this community what excrements are to gold.
5. Re:Not The Only Problem by natehoy · 2010-08-12 08:42 · Score: 5, Insightful
  
  This means a lot if you have set your profile to be non-searchable and set your name and/or profile picture to be "visible to friends only".
  POTS analogy: This is like going to the effort of getting an "unlisted number", where you aren't supposed to be listed in the phone book and your address is not supposed to be divulged to anyone, then finding out that anyone who happens upon your number and dials it gets a recording that includes your name and address.
  Having said that, everything you enter in Facebook should be considered viewable by everyone on the planet. Facebook doesn't exactly have a long and reliable history of protecting the identity of the people who use it. They'd sell you for a nickel. They'd probably send someone to strangle your cat if they thought your angst-ridden posts would generate a few thousand more page views. It's not exactly like this should come as a surprise to anyone, especially those of us who actually use it.
  So, as someone mentioned above - this is a very, very serious bug to Facebook. This information should NEVER be given out to anyone... who isn't paying for it.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
6. Re:Not The Only Problem by prostoalex · 2010-08-12 09:27 · Score: 2, Informative
  
  Only if 'Search for me on Facebook' is set to 'Everyone'
  http://www.facebook.com/settings/?tab=privacy&section=basic
7. Re:Not The Only Problem by Anonymous Coward · 2010-08-12 09:44 · Score: 1, Insightful
  
  How exactly?
  Facebook's configuration is so convoluted. Everything is spread around on different pages and stuff, so annoying. It's very hard to find any particular privacy or profile setting.
8. Re:Not The Only Problem by bannable · 2010-08-12 23:55 · Score: 1
  
  Actually, if you check out the Full Disclosure thread on this you'll that this is the problem. Facebook isn't checking *any* privacy settings during failed login attempts, so it doesn't matter what settings you use.
  
  --
  "If you see a man on a horse, he is likely an enemy. Kill the man and eat the horse."
9. Re:Not The Only Problem by Actually,+I+do+RTFA · 2010-08-13 06:01 · Score: 1
  
  Account->Privacy Settings->Basic Directory Info
  I agree, it is annoying.. It took me 30 minutes to find (the first time). I think it's been cleaned up since then.
  
  --
  Your ad here. Ask me how!
10. Re:Not The Only Problem by creat3d · 2010-08-14 11:25 · Score: 1
  
  It seems to take a lot of time (from hours to days) before such changes take full effect... Changing some account settings will sometimes be instantaneous, other times it'll take forever. But it does eventually take effect.
  
  --
  Grammar nazis are to this community what excrements are to gold.
Wow by mark72005 · 2010-08-12 08:15 · Score: 1, Redundant

Just when you thought all the obvious exploits and privacy problems had to be gone by now, they go off and amaze us again.

Get ready for another irreducibly complex tier of privacy settings, i'm sure.
1. Re:Wow by xMilkmanDanx · 2010-08-12 08:30 · Score: 1
  
  actually I'd say it's more symptomatic of the blacklist mentality. you get better security/data control if you have to whitelist access.
  
  --
  I am not in anyway affiliated with Max Cannon
From TFA by wideBlueSkies · 2010-08-12 08:16 · Score: 5, Funny

>>Scraping Facebook for this type of information is prohibited, she added.
Oh, yes. That'll stop em'. Stern warnings always do.

--
Huh?
1. Re:From TFA by Monkeedude1212 · 2010-08-12 08:22 · Score: 2, Funny
  
  Strongly worded public letters deter most bots.
2. Re:From TFA by interkin3tic · 2010-08-12 08:30 · Score: 3, Insightful
  
  They should probably throw in a logical paradox to make their heads explode or short circuit. Like "It's forbidden to use this picture and name for evil purposes, because people want privacy, even though they put it all up there suggesting they don't want privacy... think about that."
  There's only one problem...
  "Santa-bot: Nice try. But my head was built with paradox-absorbing crumple-zones"
3. Re:From TFA by Pollardito · 2010-08-13 03:31 · Score: 1
  
  I've seen multiple comments by Facebook to the media that make it sound like customer privacy is something that can be put back in a box after a breach has taken it out. I'm not sure if they actually believe that they can compel the scrapers to delete all copies of the data, or if they are just posturing.
Need an adult by dan_sdot · 2010-08-12 08:16 · Score: 3, Insightful

Ok, we need an adult to start running this company please. Seriously, this Zuckerberg guy is so far out of his league it is laughable.
1. Re:Need an adult by bkgood · 2010-08-12 09:35 · Score: 2, Informative
  
  Ageist much? Do you really think that a CEO like Zuckerberg wrote, demanded or even approved something as simple as a "spice up the login error page" project?
  Anyway, the guy is 26. He can buy booze, fight for his country and successfully run a multi-million dollar company. Most of slashdot, even adult slashdot, cannot claim all three.
  Finally, I really don't know what all the commotion is about, I just logged out of Facebook and tried logging back in with my email address and a bad password; I got the standard "bad email or password" error.
2. Re:Need an adult by Matt+Perry · 2010-08-12 14:55 · Score: 2, Funny
  
  I know! He's just making money for the company hand over fist. Obviously he doesn't know anything about running a company.
  </sarcasm>
  
  --
  Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Could? by Anonymous Coward · 2010-08-12 08:17 · Score: 1, Insightful

"Could" be misused? How about "has" and "is"?
Answer: some 22yo kid on a powertrip by e065c8515d206cb0e190 · 2010-08-12 08:17 · Score: 2, Funny

Here comes Mark.
Correction by pseudorand · 2010-08-12 08:18 · Score: 1

> that could be misused by spammers to harvest user names and photographs. ...that has been widely used by spammers, collection agencies, the government, terrorists, aliens (from outer space and otherwise), foreign governments and the like to harvest user names, photographs and e-mails for years.
There. Fixed that for you.
Scrambling, my ass... by bugs2squash · 2010-08-12 08:24 · Score: 3, Insightful

The site should go down for maintenance until they fix the issue, and only then brought back online.

--
Nullius in verba
1. Re:Scrambling, my ass... by Anonymous Coward · 2010-08-12 09:36 · Score: 2, Funny
  
  The site should go down for maintenance until they fix the issue, and only then brought back online.
  Good idea. I'm all for bringing it down. Think of how much more productive households, college campuses, and the workplace will be for networks not already blocking facebook access. The increase in productivity would cause a spike in the world economy and take us out of the recession :-)
2. Re:Scrambling, my ass... by cosm · 2010-08-12 16:40 · Score: 1
  
  The site should go down for maintenance until they fix the issue, and only then brought back online.
  Good idea. I'm all for bringing it down. Think of how much more productive households, college campuses, and the workplace will be for networks not already blocking /. access. The increase in productivity would cause a spike in the world economy and take us out of the recession :-)
  FTFY
  
  --
  'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
This flaw is no longer available by SplatMan_DK · 2010-08-12 08:26 · Score: 5, Informative

This flaw is no longer available on Facebook logon pages.
In fact it was removed before this story made it to the /. front page.
It was removed approx. 11 hours after the first public articles about it.
- Jesper

--
My security clearance is so high I have to kill myself if I remember I have it...
1. Re:This flaw is no longer available by duplicate-nickname · 2010-08-12 08:31 · Score: 1, Offtopic
  
  +1...if I could.
  Again Slashdot delivers slow, out-of-date news.
  
  --
  ÕÕ
2. Re:This flaw is no longer available by C_Kode · 2010-08-12 08:33 · Score: 2, Insightful
  
  In this case, I consider it a good thing.
3. Re:This flaw is no longer available by Anonymous Coward · 2010-08-12 08:37 · Score: 3, Interesting
  
  Really? I just went to Facebook, put in my email address and a bad password in, and I see "Login as: [My full name] [my email] Not you? click here". My picture is a blank picture, but it always is because I have all pictures turned off publicly. So, if they've removed the flaw, they've either not deployed it to all their servers yet (possible), or they really did a bad job of removing it.
4. Re:This flaw is no longer available by rudy_wayne · 2010-08-12 08:47 · Score: 1
  
  This flaw is no longer available on Facebook logon pages.
  In fact it was removed before this story made it to the /. front page.
  It was removed approx. 11 hours after the first public articles about it.
  - Jesper
  Sorry Jesper, but you are wrong. I just tried it and the problem HAS NOT been fixed as of 4:47pm EST today.
5. Re:This flaw is no longer available by blackraven14250 · 2010-08-12 08:47 · Score: 1
  
  Interesting point, considering he's talking about the flaw being fixed 11 hours after the first articles.
6. Re:This flaw is no longer available by Kelson · 2010-08-12 09:05 · Score: 1
  
  Try clearing your cookies in between (or just use a different browser), or test it with someone else's email address. It only shows your name and photo if you were previously logged on with the same account.
  I'm not sure how wise that is, but it's certainly an improvement over any random person being able to extract the information (assuming, of course, that your name and photo aren't already publicly associated with that email address via other channels).
7. Re:This flaw is no longer available by Farmer+Tim · 2010-08-12 09:07 · Score: 4, Funny
  
  Slashdot: recent history for nerds, stuff that once mattered.
  
  --
  Blank until /. makes another boneheaded UI decision.
8. Re:This flaw is no longer available by guyminuslife · 2010-08-12 10:52 · Score: 1
  
  I am currently reading a novel called "Rollback." In the story, Earth received a message from alien life forms on a distant planet in 2010. One of the main characters, a SETI researcher, doesn't find out about it until after the news has been leaked publicly. Her husband breaks it to her: "It's all over the Internet, including Slashdot!" And my reaction was, "What? Slashdot already has it on the frontpage? She must really be the last person to find out!"
  
  --
  I don't believe in time. It's a grand conspiracy designed to sell watches.
9. Re:This flaw is no longer available by amicusNYCL · 2010-08-12 10:56 · Score: 1
  
  Just tried right before this post with a browser I don't use Facebook on, with a couple email addresses for users from a forum that I admin. It most definitely showed real names for the people, although not pictures. Could be that none of them have pictures. It took 3 failed logins and then a captcha before it showed the name.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
10. Re:This flaw is no longer available by prostoalex · 2010-08-12 11:07 · Score: 1
  
  What happened when you tried someone else's e-mail address?
11. Re:This flaw is no longer available by Khyber · 2010-08-12 17:32 · Score: 1
  
  Why? Given the shit concerning this site, one would think it would have been better for this knowledge to get out even faster so people would know to drop that site like a hot lava rock.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Optomist... by ViViDboarder · 2010-08-12 08:28 · Score: 1

I noticed this the other day, but I was kind of hoping it only brought that up because I had a cookie and had logged in before... Guess not.
Scraping by wideBlueSkies · 2010-08-12 08:32 · Score: 2, Insightful

Jeez... you can write a perl script to do the scraping in about 15 minutes.
Besides the fix for the insecure functions on the page, I certainly hope they are doing IP blocking....
But what a bunch of PR jumbo... the problem is the result of a bug?? I'd disagree. I've seen the login error page. The function of showing the image and repeating the email address is by design . A horribly insecure design in the context of Facebook's privacy settings setup. But it was a design decision, not a bug.
At least that's how I see it.

--
Huh?
1. Re:Scraping by RAMMS+EIN · 2010-08-12 09:28 · Score: 3, Interesting
  
  ``But it was a design decision, not a bug.''
  Also, not telling whether they got the username correct or wrong is security 101.
  This is yet another case of Facebook having done the wrong thing for their users' privacy, and correcting things only to lessen the negative publicity. It's not an accident.
  
  --
  Please correct me if I got my facts wrong.
The word AND is not in short supply by Anonymous Coward · 2010-08-12 08:34 · Score: 1, Interesting

"Facebook Bug Could Give Spammers Names, Photos"
Names, Photos?
A comma was traditionally used in printing headlines in place of "and" because the litho did not usually have an ampersand character with which to save space.
There is no excuse for this misuse of the comma in the 21st century.
1. Re:The word AND is not in short supply by PhxBlue · 2010-08-12 09:59 · Score: 1
  
  How do you figure it's misuse? It was used in that headline to separate two items on a list. Since there are still a few print-edition papers here and there, it still makes sense to use commas in place of "and" for headlines.
  
  --
  !#@%*)anks for hanging up the phone, dear.
Re:This flaw is STILL available by Anonymous Coward · 2010-08-12 08:38 · Score: 1, Informative

I just tested it. Logged out, logged back in with the wrong password.
Guess what? It shows my name. I've turned off sharing my profile picture but the main article is talking about it scraping names for realistic spam. That is still available.
Where are you getting your information again?
Re:That's nothing. by not+already+in+use · 2010-08-12 08:40 · Score: 1

I noticed lots of people take pictures of mirrors, too.

--
Similes are like metaphors
Re:This flaw is STILL available by Anonymous Coward · 2010-08-12 08:44 · Score: 1, Informative

I just tested it. Logged out, logged back in with the wrong password.
Guess what? It shows my name. I've turned off sharing my profile picture but the main article is talking about it scraping names for realistic spam. That is still available.
Where are you getting your information again?
Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before. I just tried a friend's email address and wrong password, and it didn't show me any information about him. He has never been logged into Facebook on this machine.
*does not affect deactivated accounts by Rooked_One · 2010-08-12 08:47 · Score: 2, Funny

I deactivated my account log ago, and just checked - it doesn't say a word about who I am. Not sure if anyone else has tried this to actually see if it works.
Return vs. Fresh Login by Kelson · 2010-08-12 08:59 · Score: 5, Informative

Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before.

That does seem to be the case. I just tested it on two browsers, one of which I don't use with Facebook.
On the browser that I don't use with Facebook, the "Please enter your password" screen did not include a name or picture.
On the browser that I do use with Facebook, and had just logged out seconds before, my name and photo did appear. However, if I entered someone else's address, the name and photo did not appear. Just for kicks, I tried two email addresses, one of which I know does have an account and one of which I know doesn't. Facebook *did* tell me which one was not associated with an account.
A spammer isn't going to have your cookies, so they won't get your name and photo. But they can confirm whether you have a Facebook account or not.
1. Re:Return vs. Fresh Login by AnAdventurer · 2010-08-12 10:10 · Score: 4, Funny
  
  Best line EVER: A spammer isn't going to have your cookies
  
  --
  6.8SPC TR of 550, l xwind at 6, drift rt at 26" drops 77". AT has 503 ft-lbs at 1403 fps. FT 0.86
Predicted long ago by betterunixthanunix · 2010-08-12 09:16 · Score: 3, Interesting

My security engineering text (Anderson, 2nd edition) predicted that social networking websites would become security liabilities because of the amount of personal information they store about their members. That book was published in 2007.

"We were warned?"

--
Palm trees and 8
1. Re:Predicted long ago by Archangel+Michael · 2010-08-12 10:57 · Score: 2, Interesting
  
  "Long ago" being any length of time greater than about 3 years???
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
2. Re:Predicted long ago by betterunixthanunix · 2010-08-12 12:28 · Score: 1
  
  Considering how long these websites have been overwhelmingly popular, to the point of actually becoming security liabilities?
  
  --
  Palm trees and 8
can also just search for email address. by joostje · 2010-08-12 09:32 · Score: 1

Not just the "re-enter password" page. If you enter an email address in the normal facebook search box, facebook will show you the name of the account that uses that email address (though not the photo, if it is blocked).
Rolling out might take time? by SplatMan_DK · 2010-08-12 09:36 · Score: 1

Sorry Jesper, but you are wrong. I just tried it and the problem HAS NOT been fixed as of 4:47pm EST today.
Fair enough, you tested it and found the flaw alive and kicking.

Did you flush your browser cache before testing? And did you ensure that you are not getting the page from a proxy server someweher between you and the FB server?

If you are still getting the flaw (as I can see a number of other users are also reporting) my guess is that:

1.) They are getting cached results from somewhere
2.) Facebook has fixed the flaw, but propagating it to their 32.000 servers (literally dude) takes a little time.

Obviously I tested it myself before making the first comment ;-) and I am unable to get any information listed. I have tried with 5 accounts belonging to friends and family (and I picked the e-mails they use for their FB accounts) without getting any interesting information. I would (obviously) not post something like my first comment on a /. front page article without testing it first ...

Now, FB should still get hammered for being so damn stupid, but on the servers that I get results from the flaw is gone.

- Jesper

--
My security clearance is so high I have to kill myself if I remember I have it...
Works for me by gringer · 2010-08-12 10:10 · Score: 1
I don't have a facebook account, but I tried a few random emails (pretty much name@gmail.com), and came up with a full name and photo (although more commonly just the full name).
1. enter email address with 'mashed keys' as password
2. enter email address with 'mashed keys' as password 2 more times at 'incorrect login' screen
3. enter captcha
4. if email address represents a real user, their name (and photo, if it exists) shows up
--
Ask me about repetitive DNA
Internet security by LoudMusic · 2010-08-12 10:38 · Score: 3, Insightful

Q: Is your personal data safe?
A: [in form of a question] Is it in anyway a part of the internet, including being on your own computer in your own home, which is connected to the internet? If yes, then no.
Hell, even if I don't have a Facebook account and someone takes a pictures of me and uploads it to Facebook and tags it with my name then the internet knows what I look like. Privacy is a joke.
On the other hand, perhaps there's a market in creating false identities for people as a false data internet flood. As a business they would sign up for popular social networks with your name and upload a variety of pictures claiming to be you, with routine updates about things you're not actually doing. They could use their client list to 'friend' each other and build a nice false society. If someone on the internet ever posted true or factual information or pictures about you it would be considered less reliable due to the voluminous FUD being provided by the company hired to provide false information, and therefor discarded.

--
No sig for you. YOU GET NO SIG!
Re:It knew who I was by forgot_my_nick · 2010-08-12 10:41 · Score: 2, Informative

Almost certainly some brain dead acquaintance of yours knows both your email addresses, had them in their email address book under your name and allowed Facebook to rifle through it when they signed up.

--
Cultist of the Average Middle-Aged Ones
Not news by YoshiDan · 2010-08-12 12:22 · Score: 1

I noticed this 'feature' a long time ago when I entered my password wrong. I was a bit concerned at the time and I did think "what sort of idiot thinks of an idea like this"... At least they're fixing it.
What is the bug again? by Alien1024 · 2010-08-12 12:36 · Score: 1

From TFA:

"We have technical systems in place to prevent people's names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended," a company spokeswoman said in an e-mail message. "We are already working on a fix and expect to remedy the situation shortly."
If by "upon login" they mean when a wrong password is entered, I don't understand what the bug is, since the "Is that you?" screen is the intended behavior, not a buggy one. By the way, it only happens if the email address matches the account which was last logged in on the browser, and it forgets it if you wipe the cookies (maybe the "bug" is already fixed?). But even if that page was shown for any email, that's not the only or even the easiest way to get the name and picture matching an email; that's as easy as searching users by email.
Of course it's easy to build a phishing site that replicates the "wrong password" screen, but anyone who falls for such a phishing attempt has worse problems on the internet.
It's not a bug, it's a feature by js_sebastian · 2010-08-12 21:28 · Score: 1

Fixing this alone means nothing. If you search for someone on Facebook it will show you a name and a profile picture. Sure, it requires a facebook account, but that's not too hard to create for somebody with 4,000,000 email addresses.
People from our lab have a paper coming up at RAID this year pretty much on the same issue, exploited at a large scale (trying millions of email addresses): http://iseclab.org/papers/raid2010.pdf. Read it if you want to get an idea of how much impact such an attack can have. As a spammer, if I know the full name and list of friends (public information on facebook) associated with an email address in my spam targets list, I can do some very sneaky, targeted spam pretending to come from one of your friends...
The important point is that this is not a bug. It's an undesirable side effect of the friend finding feature that is very useful to some users and that facebook certainly has no intention of removing. As a consequence of this paper, they apparently implemented a rate limiting in the number of email address queries one can do... better than nothing, but there are no full solutions.
Want to be found? by jumpmanlives · 2010-08-12 23:13 · Score: 1

Don't use real names on FB. Online friends will know you by your handle. You can choose your friends and be in control. Basing accounts on email addresses is a good idea but link your FB account to an email that doesn't contain your real name too. :Ð
1. Re:Want to be found? by John+Hasler · 2010-08-13 03:38 · Score: 1
  
  > Don't use real names on FB.
  I think it may be a good idea the create an FB account in your real name, but it should be a dummy account, existing just to block "pranksters" from using it.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
not a bug by Jherico · 2010-08-13 07:39 · Score: 1

That's not a 'bug'. Its an incredibly bad design decision.

--
Jherico
What can the average user can do to ensure his security? "Nothing, you're screwed"