I work at facebook on the security team.<p>This is an account recovery endpoint used if your account was hacked for example.<p>Your name, profile picture and a few other things are considered public information so there is no security issue displaying them. See: <a href="https://www.facebook.com/help/167709519956542" rel="nofollow">https://www.facebook.com/help/167709519956542</a>
It appears this only works if you're using an account that you've already logged into from that IP address.<p>If you try someone else's phone number, it has a placeholder profile picture, says "Facebook User", and has censored out email addresses to send a recovery email too.<p>I'm guessing everyone here is using their own phone number to test with which yields a lot more information than if you were to try it with a phone number of a friend whose never logged into Facebook from your network.
Pair this with the Snapchat leak, so you can go from:<p>Snapchat Username --> Snapchat Phone Number --> Facebook Account<p>I hope people are behaving.
I had reported this to FB security last year when I found it was trivial to find partially masked email ids & phone numbers of anyone behind my Uni's gateway.<p>I was informed that this was a design decision since previously used IPs are more trustworthy than any new IP. I considered this a design flaw and reported since large institutions are typically behind a NAT and they become susceptible to targeted attacks.
It definitely gives you much more information than you had when you started... It really shouldn't display name/photo.<p>An example of a poor trade for experience vs security.
privacy is dead.<p>if you're going to do something that might raise the ire of someone sophisticated, don't do it online with your true and/or trusted persona.<p>now if you're complaining the waterline for "sophisticated" is getting lower...well...welcome to technology :)