Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Bug Could Give Spammers Names, Photos

Posted by timothy on from the who-am-I-again? dept.

angry tapir writes with this excerpt from an IDG report: "Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs. It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special 'Please re-enter your password' page, which includes the Facebook photo and full name of the person associated with the address. A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic."

10 of 145 comments (clear)

  1. *Smack Face* by Monkeedude1212 · · Score: 5, Insightful

    Seriously? Who is freaking writing these web pages? It would have been easier to NOT include photo's and names than to build it in there!

    1. Re:*Smack Face* by yenne · · Score: 5, Insightful

      I just tried it. Looks to me like Facebook has a problem with users who enter the wrong e-mail address and can't figure out why their logon isn't working. Hence, the "Not you? Click here." option beside the picture.

      It's entirely possible that the idiocy behind the interface design is in an ongoing stupidity arms race with the consumers on the other end.

    2. Re:*Smack Face* by paulbiz · · Score: 5, Interesting

      I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address. I've received passwords and various other sensitive data. Sprint was sending me receipts for someone's very large corporate purchases, I kept replying and forwarding them to sprint's customer care and they basically told me they can't do anything about it and to just delete them and not worry about it.

      It's also amazing how many sites will not let you unsubscribe without providing some kind of personal info. Seriously? They let you sign up with the wrong address without confirming it, but I can't unsubscribe unless I know the last 4 digits of the guy's SSN?

  2. Not a Bug by FrozenTousen · · Score: 5, Funny

    It's a feature. Say you get amnesia and all you remember is your email address. Now, thanks to Facebook, you have a means of finding out your name, and what you look like!

    --
    I'm a popular stranger, I'm nobody famous, I'm a famous nobody.
    1. Re:Not a Bug by Anonymous Coward · · Score: 5, Funny

      It's a very serious bug. Spammers aren't _supposed_ to be able to scrape that information without paying facebook for it.

  3. From TFA by wideBlueSkies · · Score: 5, Funny

    >>Scraping Facebook for this type of information is prohibited, she added.

    Oh, yes. That'll stop em'. Stern warnings always do.

    --
    Huh?
  4. This flaw is no longer available by SplatMan_DK · · Score: 5, Informative

    This flaw is no longer available on Facebook logon pages.

    In fact it was removed before this story made it to the /. front page.

    It was removed approx. 11 hours after the first public articles about it.

    - Jesper

    --
    My security clearance is so high I have to kill myself if I remember I have it...
  5. Re:Not The Only Problem by creat3d · · Score: 5, Informative

    You can set your profile not to be searchable by email address.

    --
    Grammar nazis are to this community what excrements are to gold.
  6. Re:Not The Only Problem by natehoy · · Score: 5, Insightful

    This means a lot if you have set your profile to be non-searchable and set your name and/or profile picture to be "visible to friends only".

    POTS analogy: This is like going to the effort of getting an "unlisted number", where you aren't supposed to be listed in the phone book and your address is not supposed to be divulged to anyone, then finding out that anyone who happens upon your number and dials it gets a recording that includes your name and address.

    Having said that, everything you enter in Facebook should be considered viewable by everyone on the planet. Facebook doesn't exactly have a long and reliable history of protecting the identity of the people who use it. They'd sell you for a nickel. They'd probably send someone to strangle your cat if they thought your angst-ridden posts would generate a few thousand more page views. It's not exactly like this should come as a surprise to anyone, especially those of us who actually use it.

    So, as someone mentioned above - this is a very, very serious bug to Facebook. This information should NEVER be given out to anyone... who isn't paying for it.

    --
    "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  7. Return vs. Fresh Login by Kelson · · Score: 5, Informative

    Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before.

    That does seem to be the case. I just tested it on two browsers, one of which I don't use with Facebook.

    On the browser that I don't use with Facebook, the "Please enter your password" screen did not include a name or picture.

    On the browser that I do use with Facebook, and had just logged out seconds before, my name and photo did appear. However, if I entered someone else's address, the name and photo did not appear. Just for kicks, I tried two email addresses, one of which I know does have an account and one of which I know doesn't. Facebook *did* tell me which one was not associated with an account.

    A spammer isn't going to have your cookies, so they won't get your name and photo. But they can confirm whether you have a Facebook account or not.