Critical Facebook flaw exposed email address for any account

Pierluigi Paganini July 10, 2013

A critical Facebook flaw exposed email address for any account, the discovery was made by Stephen Sclafani, security researcher and founder of PlayToWin.

Another vulnerability menaces privacy of Facebook users allowing the disclosure of primary email address of any account.
Stephen Sclafani, security researcher and founder of PlayToWin, described the attack technique in a blog post titled “Obtaining The Primary Email Address Of Any Facebook User” explaining how account owners are exposed to risk of cyber attacks such as phishing.
Facebook users have to provide a valid email address when sign up to the popular social network, the email used becomes the user’s primary email address.
The  researcher revealed the presence of a Facebook flaw in the invitation process that is used to involve other user to join in the social network.
The following image shows the invitation email received by a user that request it clicks an embedded URL to sign-up the service.
facebook flaw
Once clicked on the sign-up link the user is redirected to  a sign-up page having already filled email address and the user name fields.  Following the page presented when user click on the link to sign up for an account:
facebook flaw sign-up page
The URL accepts two parameters in this URL, “re” and “mid”, manipulating them, in particular changing part of “mid” one an attacker could expose the email address of another user.
http://www.facebook.com/r.php?re=245bf2da75118af20d917bdd34babddb&mid=59b63aG5af3107aba69G0G46
59b63a G 5af3107aba69 G 0 G 46
“Only the second value was important. The value was an ID associated with the address that the invitation was sent to in hex. A Facebook user’s numerical ID could be put as this value and their primary email address would be displayed. A user’s numerical ID is considered public information and can be obtained from the source of their profile or through the Graph API.”

Using this Facebook flaw a hacker can retrieve email address of all Facebook profiles simple writing an automated script to grab all email address of billions of Facebook users.

My coleague at The Hacker News Magazine proposed simple procedure to follow for the hack using an automated script to grab all emails:

  • Grab profile links of all facebook users from Facebook People Directory i.e http://www.facebook.com/directory/people/
  • Collect facebook ID for each ID from facebook Graph API i.e http://graph.facebook.com/mohitkumar.thehackernews, where user ID is 1251386282.
  • In Next step, using curl or other method open the modified URL for each profile ie http://www.facebook.com/r.php?re=245bf2da75118af20d917bdd34babddb&mid=59b63aG1251386282G0G46
  • Filter the email address and store that into database from the Source code obtained from above step for each profile.
The Facebook flaw should lead us to reflect on the digital exposure of our identity on social media, these bugs could open the door to professional hackers, cyber criminals and state-sponsored hackers, and allow them to gather sensitive information that could be used during an attack.
There is no limit on potential exploit of these vulnerabilities, social network users are everywhere, in private companies and government offices so it is crucial an awareness campaign about the risks related to cyber threats and of course it is principal service providers such as Facebook must promptly respond to the discovery of the flaw. In this specific case the issue was reported to Facebook on March 22th and it was fixed within 24 hours … excellent! A bounty of $3,500 was rewarded as Stephen as part of their Bug Bounty program.
Pierluigi Paganini
(Security Affairs – Facebook Flaw, hacking, social network)


you might also like

leave a comment