UPDATE: Looks like the issue has been fixed now.
Oh, lovely. Check this out before Facebook patches this up—hopefully they’ll get it fixed quickly. Go to Facebook and try to log in with someone else’s e-mail address. Don’t worry about the password, it doesn’t matter. If this person has a Facebook account, you’ll see their full name, profile photo, and e-mail address on the error page telling you you’ve got the wrong password.
It works with people who have hidden their profiles, too. You can see what happens in the above photo. That’s my account when the wrong password is entered. I’ve blacked out my e-mail address but you can see my first and last names along with my profile photo.
The bug comes to light via an entry to the Full Disclosure mailing list wherein the author states that automated scripts could be set up to harvest full names to be matched with e-mail addresses for spam or phishing attacks. There’s even a PHP script attached to the entry that can be used to harvest names and e-mail addresses.
According to the entry:
“This script extracts the First and Last Name (provided by the users when they sign up for Facebook). Facebook is kind enough to return the name even if the supplied email/password combination is wrong. Further more, it also gives out the profile picture (this script does not harvest it, but its easy to add that too). Facebook users have no control over this, as this works even when you have set all privacy settings properly. Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.”
It’s probably not a huge, end-of-the-world issue but it’s certainly not good PR for Facebook given the recent privacy concerns surrounding the site.
[via The Register]
More on Techland: