Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Bug Could Give Spammers Names, Photos

Posted by timothy on from the who-am-I-again? dept.

angry tapir writes with this excerpt from an IDG report: "Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs. It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special 'Please re-enter your password' page, which includes the Facebook photo and full name of the person associated with the address. A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic."

44 of 145 comments (clear)

  1. *Smack Face* by Monkeedude1212 · · Score: 5, Insightful

    Seriously? Who is freaking writing these web pages? It would have been easier to NOT include photo's and names than to build it in there!

    1. Re:*Smack Face* by odies · · Score: 4, Insightful

      I think the summary and story is looking at wrong aspect about it too. Spammers, whatever. You're just one in a million. This is a lot more serious about people that just know your email, but are in more personal contact with you than some spammers. Website owners, forum administrator, people you meet on the internet.. Those who know your email but don't really know your real identity. That's a lot more serious privacy violation.

    2. Re:*Smack Face* by Anonymous Coward · · Score: 2, Funny

      Seriously? Who is freaking writing these web pages?

      Probably an ex-Slashcode developer.

    3. Re:*Smack Face* by ilo.v · · Score: 2, Interesting

      Who is freaking writing these web pages? It would have been easier to NOT include photo's and names

      I'm not defending their choices, but there is a legitimate reason why they would do this. Some users mistype their username, not their password. This results in a "failed login" screen. If there is no photo (or name) they may assume they have mistyped their password, and keep trying it over and over. Throwing up the picture associated with that account helps the user figure out that the reason they can't log in is because they are mistyping their username, not their password.

    4. Re:*Smack Face* by Abstrackt · · Score: 2, Insightful

      I do some of my banking with ING and they let you select a combination of a picture and phrase that's unique to you, why couldn't Facebook implement the same? All they would need is a stock of pictures for people to choose from and a text field. If you don't see your selected picture and your selected text you'd know you tried logging into the wrong account.

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
    5. Re:*Smack Face* by SmlFreshwaterBuffalo · · Score: 2, Insightful

      I wouldn't call that a legitimate reason since that implies, well, legitimacy. Instead, it's simply a possible explanation for how they arrived at their poor choice.

      A more secure solution to the problem you pose would be to clear the user name on the "failed login" screen in addition to the password, regardless of which is incorrect. And if anyone wants to argue that having to retype both would be inconvenient, I'll preemptively counter by saying security should not be sacrificed for the sake of convenience.

    6. Re:*Smack Face* by yenne · · Score: 5, Insightful

      I just tried it. Looks to me like Facebook has a problem with users who enter the wrong e-mail address and can't figure out why their logon isn't working. Hence, the "Not you? Click here." option beside the picture.

      It's entirely possible that the idiocy behind the interface design is in an ongoing stupidity arms race with the consumers on the other end.

    7. Re:*Smack Face* by paulbiz · · Score: 5, Interesting

      I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address. I've received passwords and various other sensitive data. Sprint was sending me receipts for someone's very large corporate purchases, I kept replying and forwarding them to sprint's customer care and they basically told me they can't do anything about it and to just delete them and not worry about it.

      It's also amazing how many sites will not let you unsubscribe without providing some kind of personal info. Seriously? They let you sign up with the wrong address without confirming it, but I can't unsubscribe unless I know the last 4 digits of the guy's SSN?

    8. Re:*Smack Face* by Pharmboy · · Score: 2, Interesting

      I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address.

      Glad to know I am not the only one. My yahoo email address, which I have used since the mid 90s when they started offering email (back when 9 characters was the maximum name size....) gets the same thing, legitimate "thanks for signing up" from legit companies, where some idiot didn't know their own email address. Ironically, my email address is a real oddball one, so how they would use it is beyond me.

      --
      Tequila: It's not just for breakfast anymore!
    9. Re:*Smack Face* by Dhalka226 · · Score: 4, Interesting

      I had the same problem happen, with some extremely sensitive data coming in.

      In addition to somewhat mundane things like airline confirmations, hotel confirmations, etc, there were several letters about legal problems. The person they were trying to reach is apparently the head of an investment group and under investigation by the SEC. I also once received an email containing a bank account number with routing number. Usually it was sent to his (proper) business address and CC'd to my address, which I assume they thought was a personal address for him. When correspondence from lawyers starting coming in I decided it was well past time to start emailing these people and telling them to oh my god please stop. That's a can of worms I just wanted no part of whatsoever.

      I did do a quick Google search for the guy; same last name, different first name (same first initial, the combination of which is my email address). Really a problem that shouldn't have happened, especially not that many times from that many different sources.

    10. Re:*Smack Face* by Khyber · · Score: 3, Insightful

      This is why I do not use my name as part of my e-mail address.

      This cuts down on that problem considerably.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    11. Re:*Smack Face* by billcopc · · Score: 2, Insightful

      I don't see what the big fuss is... it's your name. If someone has your email address, they probably have some sense of who you are. If you don't trust them with your real name, then at the very least have some forethought and give them a throwaway email address.

      Me, I'm Bill Lambert. My email address is billco@fnarg.com . Says so on my whois records. Big fucking whoop. That's what spamassassin is for.

      --
      -Billco, Fnarg.com
  2. Not a Bug by FrozenTousen · · Score: 5, Funny

    It's a feature. Say you get amnesia and all you remember is your email address. Now, thanks to Facebook, you have a means of finding out your name, and what you look like!

    --
    I'm a popular stranger, I'm nobody famous, I'm a famous nobody.
    1. Re:Not a Bug by Anonymous Coward · · Score: 5, Funny

      It's a very serious bug. Spammers aren't _supposed_ to be able to scrape that information without paying facebook for it.

    2. Re:Not a Bug by by+(1706743) · · Score: 4, Funny

      It's a feature. Say you get amnesia and all you remember is your email address. Now, thanks to Facebook, you have a means of finding out your name, and what you look like!

      Imagine how much simpler the plot for The Bourne Identity would have been.

  3. Not The Only Problem by Revotron · · Score: 4, Insightful

    Fixing this alone means nothing. If you search for someone on Facebook it will show you a name and a profile picture. Sure, it requires a facebook account, but that's not too hard to create for somebody with 4,000,000 email addresses.

    1. Re:Not The Only Problem by yincrash · · Score: 2, Interesting

      A user can prevent the profile picture from showing, and you can't search by email address (that I know of). However, this bypasses the profile picture privacy option.

    2. Re:Not The Only Problem by e065c8515d206cb0e190 · · Score: 4, Informative

      You can search by email address. And last time I checked the only way to not show your profile picture to the world was to not have one at all.

    3. Re:Not The Only Problem by TheGratefulNet · · Score: 2, Insightful

      I have no FB account (never will, either!) yet I can do a google cache search AND get 'goodies' on FB users that way.

      so, that's yet another hole that needs to be patched.

      --

      --
      "It is now safe to switch off your computer."
    4. Re:Not The Only Problem by creat3d · · Score: 5, Informative

      You can set your profile not to be searchable by email address.

      --
      Grammar nazis are to this community what excrements are to gold.
    5. Re:Not The Only Problem by natehoy · · Score: 5, Insightful

      This means a lot if you have set your profile to be non-searchable and set your name and/or profile picture to be "visible to friends only".

      POTS analogy: This is like going to the effort of getting an "unlisted number", where you aren't supposed to be listed in the phone book and your address is not supposed to be divulged to anyone, then finding out that anyone who happens upon your number and dials it gets a recording that includes your name and address.

      Having said that, everything you enter in Facebook should be considered viewable by everyone on the planet. Facebook doesn't exactly have a long and reliable history of protecting the identity of the people who use it. They'd sell you for a nickel. They'd probably send someone to strangle your cat if they thought your angst-ridden posts would generate a few thousand more page views. It's not exactly like this should come as a surprise to anyone, especially those of us who actually use it.

      So, as someone mentioned above - this is a very, very serious bug to Facebook. This information should NEVER be given out to anyone... who isn't paying for it.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    6. Re:Not The Only Problem by prostoalex · · Score: 2, Informative

      Only if 'Search for me on Facebook' is set to 'Everyone'
      http://www.facebook.com/settings/?tab=privacy&section=basic

  4. From TFA by wideBlueSkies · · Score: 5, Funny

    >>Scraping Facebook for this type of information is prohibited, she added.

    Oh, yes. That'll stop em'. Stern warnings always do.

    --
    Huh?
    1. Re:From TFA by Monkeedude1212 · · Score: 2, Funny

      Strongly worded public letters deter most bots.

    2. Re:From TFA by interkin3tic · · Score: 3, Insightful

      They should probably throw in a logical paradox to make their heads explode or short circuit. Like "It's forbidden to use this picture and name for evil purposes, because people want privacy, even though they put it all up there suggesting they don't want privacy... think about that."

      There's only one problem...

      "Santa-bot: Nice try. But my head was built with paradox-absorbing crumple-zones"

  5. Need an adult by dan_sdot · · Score: 3, Insightful

    Ok, we need an adult to start running this company please. Seriously, this Zuckerberg guy is so far out of his league it is laughable.

    1. Re:Need an adult by bkgood · · Score: 2, Informative

      Ageist much? Do you really think that a CEO like Zuckerberg wrote, demanded or even approved something as simple as a "spice up the login error page" project?

      Anyway, the guy is 26. He can buy booze, fight for his country and successfully run a multi-million dollar company. Most of slashdot, even adult slashdot, cannot claim all three.

      Finally, I really don't know what all the commotion is about, I just logged out of Facebook and tried logging back in with my email address and a bad password; I got the standard "bad email or password" error.

    2. Re:Need an adult by Matt+Perry · · Score: 2, Funny
      I know! He's just making money for the company hand over fist. Obviously he doesn't know anything about running a company.

      </sarcasm>

      --
      Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
  6. Answer: some 22yo kid on a powertrip by e065c8515d206cb0e190 · · Score: 2, Funny

    Here comes Mark.

  7. Scrambling, my ass... by bugs2squash · · Score: 3, Insightful

    The site should go down for maintenance until they fix the issue, and only then brought back online.

    --
    Nullius in verba
    1. Re:Scrambling, my ass... by Anonymous Coward · · Score: 2, Funny

      The site should go down for maintenance until they fix the issue, and only then brought back online.

      Good idea. I'm all for bringing it down. Think of how much more productive households, college campuses, and the workplace will be for networks not already blocking facebook access. The increase in productivity would cause a spike in the world economy and take us out of the recession :-)

  8. This flaw is no longer available by SplatMan_DK · · Score: 5, Informative

    This flaw is no longer available on Facebook logon pages.

    In fact it was removed before this story made it to the /. front page.

    It was removed approx. 11 hours after the first public articles about it.

    - Jesper

    --
    My security clearance is so high I have to kill myself if I remember I have it...
    1. Re:This flaw is no longer available by C_Kode · · Score: 2, Insightful

      In this case, I consider it a good thing.

    2. Re:This flaw is no longer available by Anonymous Coward · · Score: 3, Interesting

      Really? I just went to Facebook, put in my email address and a bad password in, and I see "Login as: [My full name] [my email] Not you? click here". My picture is a blank picture, but it always is because I have all pictures turned off publicly. So, if they've removed the flaw, they've either not deployed it to all their servers yet (possible), or they really did a bad job of removing it.

    3. Re:This flaw is no longer available by Farmer+Tim · · Score: 4, Funny

      Slashdot: recent history for nerds, stuff that once mattered.

      --
      Blank until /. makes another boneheaded UI decision.
  9. Scraping by wideBlueSkies · · Score: 2, Insightful

    Jeez... you can write a perl script to do the scraping in about 15 minutes.

    Besides the fix for the insecure functions on the page, I certainly hope they are doing IP blocking....

    But what a bunch of PR jumbo... the problem is the result of a bug?? I'd disagree. I've seen the login error page. The function of showing the image and repeating the email address is by design . A horribly insecure design in the context of Facebook's privacy settings setup. But it was a design decision, not a bug.

    At least that's how I see it.

    --
    Huh?
    1. Re:Scraping by RAMMS+EIN · · Score: 3, Interesting

      ``But it was a design decision, not a bug.''

      Also, not telling whether they got the username correct or wrong is security 101.

      This is yet another case of Facebook having done the wrong thing for their users' privacy, and correcting things only to lessen the negative publicity. It's not an accident.

      --
      Please correct me if I got my facts wrong.
  10. *does not affect deactivated accounts by Rooked_One · · Score: 2, Funny

    I deactivated my account log ago, and just checked - it doesn't say a word about who I am. Not sure if anyone else has tried this to actually see if it works.

  11. Return vs. Fresh Login by Kelson · · Score: 5, Informative

    Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before.

    That does seem to be the case. I just tested it on two browsers, one of which I don't use with Facebook.

    On the browser that I don't use with Facebook, the "Please enter your password" screen did not include a name or picture.

    On the browser that I do use with Facebook, and had just logged out seconds before, my name and photo did appear. However, if I entered someone else's address, the name and photo did not appear. Just for kicks, I tried two email addresses, one of which I know does have an account and one of which I know doesn't. Facebook *did* tell me which one was not associated with an account.

    A spammer isn't going to have your cookies, so they won't get your name and photo. But they can confirm whether you have a Facebook account or not.

    1. Re:Return vs. Fresh Login by AnAdventurer · · Score: 4, Funny

      Best line EVER: A spammer isn't going to have your cookies

      --
      6.8SPC TR of 550, l xwind at 6, drift rt at 26" drops 77". AT has 503 ft-lbs at 1403 fps. FT 0.86
  12. Predicted long ago by betterunixthanunix · · Score: 3, Interesting

    My security engineering text (Anderson, 2nd edition) predicted that social networking websites would become security liabilities because of the amount of personal information they store about their members. That book was published in 2007.

    "We were warned?"

    --
    Palm trees and 8
    1. Re:Predicted long ago by Archangel+Michael · · Score: 2, Interesting

      "Long ago" being any length of time greater than about 3 years???

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  13. Internet security by LoudMusic · · Score: 3, Insightful

    Q: Is your personal data safe?

    A: [in form of a question] Is it in anyway a part of the internet, including being on your own computer in your own home, which is connected to the internet? If yes, then no.

    Hell, even if I don't have a Facebook account and someone takes a pictures of me and uploads it to Facebook and tags it with my name then the internet knows what I look like. Privacy is a joke.

    On the other hand, perhaps there's a market in creating false identities for people as a false data internet flood. As a business they would sign up for popular social networks with your name and upload a variety of pictures claiming to be you, with routine updates about things you're not actually doing. They could use their client list to 'friend' each other and build a nice false society. If someone on the internet ever posted true or factual information or pictures about you it would be considered less reliable due to the voluminous FUD being provided by the company hired to provide false information, and therefor discarded.

    --
    No sig for you. YOU GET NO SIG!
  14. Re:It knew who I was by forgot_my_nick · · Score: 2, Informative

    Almost certainly some brain dead acquaintance of yours knows both your email addresses, had them in their email address book under your name and allowed Facebook to rifle through it when they signed up.

    --
    Cultist of the Average Middle-Aged Ones