A critical Facebook flaw exposed email address for any account, the discovery was made by Stephen Sclafani, security researcher and founder of PlayToWin.
“Only the second value was important. The value was an ID associated with the address that the invitation was sent to in hex. A Facebook user’s numerical ID could be put as this value and their primary email address would be displayed. A user’s numerical ID is considered public information and can be obtained from the source of their profile or through the Graph API.”
Using this Facebook flaw a hacker can retrieve email address of all Facebook profiles simple writing an automated script to grab all email address of billions of Facebook users.
My coleague at The Hacker News Magazine proposed simple procedure to follow for the hack using an automated script to grab all emails:
- Grab profile links of all facebook users from Facebook People Directory i.e http://www.facebook.com/directory/people/
- Collect facebook ID for each ID from facebook Graph API i.e http://graph.facebook.com/mohitkumar.thehackernews, where user ID is 1251386282.
- In Next step, using curl or other method open the modified URL for each profile ie http://www.facebook.com/r.php?re=245bf2da75118af20d917bdd34babddb&mid=59b63aG1251386282G0G46
- Filter the email address and store that into database from the Source code obtained from above step for each profile.