In almost any web app you'd write this up as "Sev: Low", "Impact: Information Leakage".<p>But this isn't any web app; it's the most popular complex web app in the world. It seems like there's zero likelihood Facebook doesn't (a) know about this and (b) want Facebook to work this way. Presumably, it helps people like my mom.<p>It was always a bad idea to associate your secret anonymous email address that you use to send ransom letters with your Facebook account.
Um, it's easier than that. You can do this with the graph API. Although current (but undocumented) rate limits make it infeasible to do much with it.<p><a href="https://graph.facebook.com/search?q=josh@eventvue.com&type=user&access_token=.." rel="nofollow">https://graph.facebook.com/search?q=josh@eventvue.com&ty...</a>.<p><a href="http://developers.facebook.com/docs/api#search" rel="nofollow">http://developers.facebook.com/docs/api#search</a>
The author states it might be useful in guessing valid company email
addresses. Isn't it easier to create a CSV/Outlook compatible file
containing hundreds of generated addresses, and then ask Facebook to
find new friends for you. Plus, that will allow you to check many more
adresses before Facebook senses something silly and disables the login
form - which would happen if you use the login-form method.<p>Heck, this is perfectly possible with LinkedIn and twitter as well. I
don't understand what the fuss is.
Since GMail released their small revision the other day that put a more "GMail-like" GUI on the Contacts section, I've been sorting and completing my list of contacts. I had 5 ambiguous e-mail addresses left that I couldn't pinpoint who they belonged to. After reading this article I decided to give this Facebook feature/vulnerability a try. 4 out of 5 previously anonymous e-mails are now verified with their first, last name, and photo (it turns out I know all 4 in person so in all likelihood the results are correct). Not too shabby, and a little bit scary.
RapLeaf offers a service where you give it an email address and it returns the Facebook, Twitter and other social media accounts associated with it.<p>Now, I'm not saying they are using <i>this</i> vector, but then they must be using something like this because how else could they offer the service. (This also means there might be other vectors to achieve this end result).<p>To me, this also makes me pleased that I use a unique email address against my email domain for each site I use.
I agree with the overall sentiment that this is a relatively minor vulnerability.<p>It could be put to malicious use by phishers. If I know your full name I can make more realistic phishing emails.
I'm not so sure why this even matters. If you search for someone based on their email address within Facebook, it comes up with their name and photo as well. In my case, it's a feature. But true there is no point to it giving this information on the wrong password screen, but if someone wants this information they can still get it using Facebook.<p>Maybe Google should worry about this too...I usually type unfamiliar email addresses into Google and end up with far more than just a name and a picture.
nice find. The followup is correct; slight mispellings are corrected, allowing further guesses.<p>This coupled with the fbnames release earlier makes me think it's only a matter of time before someone crawls and "open sources" all accessible personal data from facebook.
The same can be done for Gmail (and probably Google Apps) users through GDocs. Just share a document to an email address, and GDocs will show you their name.
Not sure if that's only on Facebook US servers or it's been disabled already, but from here in NZ there's no such info leakage, you get a very boring error page.<p>The only thing you can discover is whether the email address you entered is a valid Facebook login or not - you get a different error response for an email address that's not a valid Facebook login.