Facebook Login Loophole Reveals User Names and Profile Pictures
The bug was first flagged by Atul Agarwal, security researcher and CEO of Secfence Technologies. Agarwal apparently noticed the glitch after trying to log on to his account with an incorrect password. In a subsequent e-mail posted to the Full Disclosure mailing list, the researcher described how the loophole could be manipulated to harvest user data, and even came up with a proof of concept script to demonstrate how it could be done. Not long after Agarwal posted his explanation, another mailing list user named Javier Bassi noted that, even if a user types in an invalid e-mail address, Facebook's system will automatically suggest a valid profile picture, user name and e-mail address that's similar to the incorrect address first entered.
Shortly after Information Week broke the story, Facebook responded with a statement reassuring users that the site's engineers are cooking up a solution. "We have technical systems in place to prevent people's names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended," the statement reads. "We are already working on a fix and expect to remedy the situation shortly." Granted, the bug may not reveal your most valuable, highly protected information, but, at a time when many users are growing wary of the site's privacy protection, it's good to know that Facebook is doing its best to patch the hole. [From: CNET and InformationWeek]
Featured on Switched: