SafeUM
Home Blog Services Download Help About Recharge
EN
RU

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
EN
Lang
EN
RU
Archive
TOP Security!
26 Dec 2016

Clever Facebook hack reveals private email address of any user

Christmas came early for Facebook bug bounty hunter Tommy DeVoss who was paid $5,000 this week for discovering a security vulnerability that allowed him to view the private email addresses of any Facebook user.

“The hack allowed me to harvest as many email addresses as I wanted from anybody on Facebook,” DeVoss said. “It didn’t matter how private you thought your email address was – I could of grabbed it.”

DeVoss said on Thanksgiving Day he discovered the vulnerability and reported it to Facebook via its bug bounty program. After weeks of going back and forth verifying what the exact bug was and how it was exploited, Facebook said it would award him $5,000 for the discovery. And on Tuesday it did. The bug was tied to the user-generated Facebook Groups feature that allows any member to create an affinity group on the social network’s platform. DeVoss discovered as an administrator of a Facebook Group he could invite any Facebook member to have Admin Roles via Facebook’s system to do things such as edit post or add new members.

Those invitations were handled by Facebook and sent to the invited recipient’s Facebook Messages inbox, but also to the Facebook user’s email address associated with their account. In many cases users choose to keep their email addresses private. DeVoss discovered, despite privacy settings set by Facebook members, he was able to gain access to any Facebook user’s email address whether he was Friends with them or not.

DeVoss found when he cancelled pending invitations to those invited to be Facebook Group Administrators there was a glitch. “While Facebook waits for the confirmation, the user is forwarded to a Page Roles tab that includes a button to cancel the request,” he said. Next, he switched to Facebook’s mobile view of the Page Roles tab. Here DeVoss was able to view the full email addresses of anyone he wanted to cancel from becoming a Facebook Group Administrator.

“I noticed that when you clicked to cancel the administrator invitation on the mobile page, you were redirected to a page with the email address in the URL,” he said. “Now all you have to do is pluck the plaintext version of the confidential email address straight from the URL.”

The impact of this vulnerability could be diverse, he wrote in a blog post outlining his discovery. “Harvesting email addresses this way contradicts Facebook’s privacy policy and could lead to targeted phishing attempts or other malicious purposes.” Facebook confirmed the hack and said it has no evidence the vulnerability was ever misused. Facebook said it has implemented a fix to prevent the issue from being exploited.

DeVoss, a software developer in Virginia, said this is the largest bug bounty payment he has ever earned. He told he participates in a number of bug bounty programs including Yahoo’s and the Hack the Pentagon program. For its part, in October Facebook announced it has paid out more than $5 million to 900 researchers in the five years since it implemented its bug bounty program. The company said it paid out $611,741 to 149 researchers in the first half of 2016 alone.

Facebook was one of the first websites to launch a bug program when it followed in the footsteps of both Mozilla and Google in August 2011. In February, the company paid $10,000 to a 10-year-old boy from Finland after he discovered an API bug in the image sharing app Instagram, which Facebook bought for $1B in 2012. The company awarded $15,000 to Anand Prakash in March for a bug allowed him to crack open any of Facebook’s 1.1 billion accounts using a rudimentary brute force password attack.

Tags:
information leaks Facebook
Source:
Threatpost
1617
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015