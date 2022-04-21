Brace yourselves. Facebook has a new mega-leak on its hands:
Still smarting from last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a mass scale, links the Facebook accounts associated with email addresses, even when users choose settings to keep them from being public.
A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher—who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed—fed the tool a list of 65,000 email addresses and watched what happened next.
"As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts."
Ars obtained the video on condition the video not be shared. A full audio transcript appears at the end of this post.
In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings."
A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video.
(Score: 0) by Anonymous Coward on Thursday April 22, @01:32PM (3 children)
Jeez, just email your family pictures.
There is no need for Facebook.
(Score: 1, Touché) by Anonymous Coward on Thursday April 22, @01:43PM (2 children)
(Score: 2) by Tork on Thursday April 22, @02:41PM (1 child)
(Score: 0) by Anonymous Coward on Thursday April 22, @02:44PM
Not email, but, essentially yes.
(Score: 3, Informative) by Frosty Piss on Thursday April 22, @02:07PM (1 child)
These “so called” hacks are simply running a script to collect emails and phone numbers the Facebook accounts have publicly posted in their profiles. Nothing to see except stupid people, move along.
(Score: 2) by Tork on Thursday April 22, @02:52PM
(Score: 0) by Anonymous Coward on Thursday April 22, @02:16PM
(Score: 0) by Anonymous Coward on Thursday April 22, @02:24PM
Translation:
We hoped this guy wouldn't go public with it but apparently he called our bluff, and so now we have to deal with it using all sorts of weasel-sentences. Make no mistake, we'll put a special mark on his facebook account to make sure we can properly keep an eye on this undesirable effectively putting them under 24/7/.365[.25] surveillance since the internet is our panopticon! We will investigate whether or not we can either buy their silence or, if this fails, will make sure that anyone searching for this individual anywhere sees only information that will disuade them from interacting with this pariah.
(Score: 0) by Anonymous Coward on Thursday April 22, @02:34PM
