Forgot your password?
typodupeerror
Security Social Networks IT

Facebook Bug Could Give Spammers Names, Photos 145

Posted by timothy
from the who-am-I-again? dept.
angry tapir writes with this excerpt from an IDG report: "Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs. It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special 'Please re-enter your password' page, which includes the Facebook photo and full name of the person associated with the address. A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic."
This discussion has been archived. No new comments can be posted.

Facebook Bug Could Give Spammers Names, Photos

Comments Filter:
  • *Smack Face* (Score:5, Insightful)

    by Monkeedude1212 (1560403) on Thursday August 12, 2010 @04:13PM (#33232256) Journal

    Seriously? Who is freaking writing these web pages? It would have been easier to NOT include photo's and names than to build it in there!

    • Re:*Smack Face* (Score:4, Insightful)

      by odies (1869886) on Thursday August 12, 2010 @04:15PM (#33232284)

      I think the summary and story is looking at wrong aspect about it too. Spammers, whatever. You're just one in a million. This is a lot more serious about people that just know your email, but are in more personal contact with you than some spammers. Website owners, forum administrator, people you meet on the internet.. Those who know your email but don't really know your real identity. That's a lot more serious privacy violation.

      • Re: (Score:3, Insightful)

        by billcopc (196330)

        I don't see what the big fuss is... it's your name. If someone has your email address, they probably have some sense of who you are. If you don't trust them with your real name, then at the very least have some forethought and give them a throwaway email address.

        Me, I'm Bill Lambert. My email address is billco@fnarg.com . Says so on my whois records. Big fucking whoop. That's what spamassassin is for.

        • by Chysn (898420)
          It's no so much the name as a picture, I think. People are accustomed to seeing their Facebook pictures only (or at least primarily) in Facebook, and a phishing attack that involves that picture would be a lot more convincing.
      • by vlueboy (1799360)

        Website owners, forum administrator, people you meet on the internet.. Those who know your email but don't really know your real identity.

        Yet another reason to hide your email on forums' public profiles.

        If FB fails to change anything, then more power to me for avoiding it. I can't believe this past two years: google improved forum indexing to the point that too much crap obscures legit searches ... spammers have also gotten real good at stealing, curating my personal data and cloning it in a way to contribute to the above "crapflood." Phone books cannot even dream of the power of the spammers for aggregating data to piece together exactly who

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Seriously? Who is freaking writing these web pages?

      Probably an ex-Slashcode developer.

    • Re: (Score:1, Informative)

      by mcgrew (92797) *

      It would have been easier to NOT include photo's and names than to build it in there!

      Dude, please learn when to use an apostrophe [angryflower.com]. We have lots of non-native English speakers here, and they may assume that your use of language is educated, seeing as how this is a nerd site and all.

      Moderators, please mod me down, I'm offtopic. Thx.

      • Maybe he's a non-native speaker himself ;)

      • Re: (Score:2, Informative)

        It is a bad habit I have. I'll write a sentence, then I'll read it over, and decide to change the structure entirely, then re-read it a bit to make sure it makes sense, then put it up there without looking too much at grammar.

        So if I had said something like "The photo's location" but then decided the location part is irrelevant and I could just work it around to just say "the photos" then I do so, but its all cut copy paste delete so the apostrophe reamins in place. Makes errors and I apologize.

        I also tend

    • Re: (Score:2, Interesting)

      by ilo.v (1445373)

      Who is freaking writing these web pages? It would have been easier to NOT include photo's and names

      I'm not defending their choices, but there is a legitimate reason why they would do this. Some users mistype their username, not their password. This results in a "failed login" screen. If there is no photo (or name) they may assume they have mistyped their password, and keep trying it over and over. Throwing up the picture associated with that account helps the user figure out that the reason they can't

      • I see your point, and it is an excellent one. However, I think I would have prefered it being some kind of bug that suggests the page you are being redirected to when failing to login goes to a default page which then loads certain contols (like other facebook pages), and that it naturally shows the info when you are logged in. As opposed to a logical error that someone thought this would be a good idea and didn't consider the consequences of privacy involved with it. Not that I'm surprised with the current

      • Re: (Score:3, Insightful)

        by Abstrackt (609015)
        I do some of my banking with ING and they let you select a combination of a picture and phrase that's unique to you, why couldn't Facebook implement the same? All they would need is a stock of pictures for people to choose from and a text field. If you don't see your selected picture and your selected text you'd know you tried logging into the wrong account.
        • Because a surprisingly large number of internet users are blind or have poor eyesight, and your system would exclude them from facebook ....Just like they are excluded from ING's website ...

          • by netsharc (195805)

            I wonder how the AJAX-crazy Facebook would work for the poor-sighted anyway... I have a hunch: not very good.

            And imagine the TTS-engine:
            "Moron McDumbass needs an UZI for a Mafia Wars raid.
            Moron McDumbass needs bullets for a Mafia Wars raid.
            Moron McDumbass needs a getaway car for a Mafia Wars raid."

      • Re: (Score:3, Insightful)

        I wouldn't call that a legitimate reason since that implies, well, legitimacy. Instead, it's simply a possible explanation for how they arrived at their poor choice.

        A more secure solution to the problem you pose would be to clear the user name on the "failed login" screen in addition to the password, regardless of which is incorrect. And if anyone wants to argue that having to retype both would be inconvenient, I'll preemptively counter by saying security should not be sacrificed for the sake of convenience

      • by asdf7890 (1518587)
        Legitimate reason: yes. Good reason: no. Commonly accepted best-practice is not to let the user know which part is wrong. Reporting that the username is fine but the password isn't makes brute-force login attempts a more practical form of attack especially where you are expecting daft users with poor password choices - and facebook themselves expects their users to be too daft to properly choose and look after their usernames/passwords hence the "enter your email address and password here and we'll look at
    • Re:*Smack Face* (Score:5, Insightful)

      by yenne (1366903) on Thursday August 12, 2010 @05:37PM (#33233378)

      I just tried it. Looks to me like Facebook has a problem with users who enter the wrong e-mail address and can't figure out why their logon isn't working. Hence, the "Not you? Click here." option beside the picture.

      It's entirely possible that the idiocy behind the interface design is in an ongoing stupidity arms race with the consumers on the other end.

      • Re:*Smack Face* (Score:5, Interesting)

        by paulbiz (585489) on Thursday August 12, 2010 @05:57PM (#33233538) Journal

        I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address. I've received passwords and various other sensitive data. Sprint was sending me receipts for someone's very large corporate purchases, I kept replying and forwarding them to sprint's customer care and they basically told me they can't do anything about it and to just delete them and not worry about it.

        It's also amazing how many sites will not let you unsubscribe without providing some kind of personal info. Seriously? They let you sign up with the wrong address without confirming it, but I can't unsubscribe unless I know the last 4 digits of the guy's SSN?

        • Re: (Score:3, Interesting)

          by Pharmboy (216950)

          I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address.

          Glad to know I am not the only one. My yahoo email address, which I have used since the mid 90s when they started offering email (back when 9 characters was the maximum name size....) gets the same thing, legitimate "thanks for signing up" from legit companies, where some idiot didn't know their own email address. Ironically, my email

        • by yenne (1366903)

          I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address.

          My e-mail address is also my full name with a "dot net" at the end, and I have chronic issues with customer service reps who don't know how to type anything other than "dot com".

          That is pretty ridiculous about not being able to unsubscribe, though.

        • Re:*Smack Face* (Score:5, Interesting)

          by Dhalka226 (559740) on Thursday August 12, 2010 @06:23PM (#33233746)

          I had the same problem happen, with some extremely sensitive data coming in.

          In addition to somewhat mundane things like airline confirmations, hotel confirmations, etc, there were several letters about legal problems. The person they were trying to reach is apparently the head of an investment group and under investigation by the SEC. I also once received an email containing a bank account number with routing number. Usually it was sent to his (proper) business address and CC'd to my address, which I assume they thought was a personal address for him. When correspondence from lawyers starting coming in I decided it was well past time to start emailing these people and telling them to oh my god please stop. That's a can of worms I just wanted no part of whatsoever.

          I did do a quick Google search for the guy; same last name, different first name (same first initial, the combination of which is my email address). Really a problem that shouldn't have happened, especially not that many times from that many different sources.

        • by ekhben (628371)

          That's only 10,000 combinations. Brute force script it. Don't bother testing for success, just blast 10,000 HTTP requests at them.

          • by Khyber (864651)

            If only one would combine the LOIC with a brute-force script. DDoS + password stealing all in one.

            Bet 4chan would shit themselves over that. While AES256 may take the universe suffering from total entropy before it got cracked, I bet with a good logistical separation and delegation of sections to attempt they could crack it.

            Just simply brute-forcing it would take eternity. Use a little statistics and logistics, and some proper task delegation, I'd be willing to bet that a brute-force could be accomplished w

        • by Piranhaa (672441)

          Last year I had someone at the the Sierra Club having their mail being forwarded to me. The guy's name was identical to mine.
          I replied to it saying I must be getting their emails, but I guess it wasn't important.

          I got confidential email after confidential email. Even emails that "Sally was not impressed with the way you guys left the kitchen today". So I had some fun replying to some of their emails.

          It took them a few months before anyone finally fixed it - or the guy finally realized that his email wasn't

        • by gsslay (807818)

          I get this too. My name is not that common, unfortunately the idiots making the mistake are the same ones again and again. I'm now at the point that I can guess which idiot, as I know enough about their interests from what websites they sign up to.

          It's just as bad when they tell their friends or colleagues the wrong email address. It took me a year to convince a certain military outfit that I was not part of their unit and to stop sending me orders about next week's operations. God knows what was happe

    • I think they tried to copy the "active neopet" login security feature on Neopets.
    • Not only that, but I take it if someone like me were to use facebook without adding pictures, but just to stay in touch, i guess you would not get much other then my online name (which is never the real name) and an empty picture box.

  • Not a Bug (Score:5, Funny)

    by FrozenTousen (1874546) on Thursday August 12, 2010 @04:14PM (#33232264)

    It's a feature. Say you get amnesia and all you remember is your email address. Now, thanks to Facebook, you have a means of finding out your name, and what you look like!

  • by Revotron (1115029) on Thursday August 12, 2010 @04:15PM (#33232276)

    Fixing this alone means nothing. If you search for someone on Facebook it will show you a name and a profile picture. Sure, it requires a facebook account, but that's not too hard to create for somebody with 4,000,000 email addresses.

    • Re: (Score:3, Interesting)

      by yincrash (854885)
      A user can prevent the profile picture from showing, and you can't search by email address (that I know of). However, this bypasses the profile picture privacy option.
    • Re: (Score:2, Insightful)

      I have no FB account (never will, either!) yet I can do a google cache search AND get 'goodies' on FB users that way.

      so, that's yet another hole that needs to be patched.

    • by natehoy (1608657) on Thursday August 12, 2010 @04:42PM (#33232704) Journal

      This means a lot if you have set your profile to be non-searchable and set your name and/or profile picture to be "visible to friends only".

      POTS analogy: This is like going to the effort of getting an "unlisted number", where you aren't supposed to be listed in the phone book and your address is not supposed to be divulged to anyone, then finding out that anyone who happens upon your number and dials it gets a recording that includes your name and address.

      Having said that, everything you enter in Facebook should be considered viewable by everyone on the planet. Facebook doesn't exactly have a long and reliable history of protecting the identity of the people who use it. They'd sell you for a nickel. They'd probably send someone to strangle your cat if they thought your angst-ridden posts would generate a few thousand more page views. It's not exactly like this should come as a surprise to anyone, especially those of us who actually use it.

      So, as someone mentioned above - this is a very, very serious bug to Facebook. This information should NEVER be given out to anyone... who isn't paying for it.

    • Fixing this alone means nothing. If you search for someone on Facebook it will show you a name and a profile picture. Sure, it requires a facebook account, but that's not too hard to create for somebody with 4,000,000 email addresses.

      People from our lab have a paper coming up at RAID this year pretty much on the same issue, exploited at a large scale (trying millions of email addresses): http://iseclab.org/papers/raid2010.pdf [iseclab.org]. Read it if you want to get an idea of how much impact such an attack can have. As a spammer, if I know the full name and list of friends (public information on facebook) associated with an email address in my spam targets list, I can do some very sneaky, targeted spam pretending to come from one of your friends...

  • Wow (Score:2, Redundant)

    by mark72005 (1233572)
    Just when you thought all the obvious exploits and privacy problems had to be gone by now, they go off and amaze us again.

    Get ready for another irreducibly complex tier of privacy settings, i'm sure.
    • actually I'd say it's more symptomatic of the blacklist mentality. you get better security/data control if you have to whitelist access.
  • From TFA (Score:5, Funny)

    by wideBlueSkies (618979) * on Thursday August 12, 2010 @04:16PM (#33232298) Journal

    >>Scraping Facebook for this type of information is prohibited, she added.

    Oh, yes. That'll stop em'. Stern warnings always do.

    • Re: (Score:3, Funny)

      Strongly worded public letters deter most bots.

      • Re:From TFA (Score:4, Insightful)

        by interkin3tic (1469267) on Thursday August 12, 2010 @04:30PM (#33232546)

        They should probably throw in a logical paradox to make their heads explode or short circuit. Like "It's forbidden to use this picture and name for evil purposes, because people want privacy, even though they put it all up there suggesting they don't want privacy... think about that."

        There's only one problem...

        "Santa-bot: Nice try. But my head was built with paradox-absorbing crumple-zones"

    • I've seen multiple comments by Facebook to the media that make it sound like customer privacy is something that can be put back in a box after a breach has taken it out. I'm not sure if they actually believe that they can compel the scrapers to delete all copies of the data, or if they are just posturing.
  • Need an adult (Score:4, Insightful)

    by dan_sdot (721837) on Thursday August 12, 2010 @04:16PM (#33232300)
    Ok, we need an adult to start running this company please. Seriously, this Zuckerberg guy is so far out of his league it is laughable.
    • Re: (Score:2, Informative)

      by bkgood (986474)

      Ageist much? Do you really think that a CEO like Zuckerberg wrote, demanded or even approved something as simple as a "spice up the login error page" project?

      Anyway, the guy is 26. He can buy booze, fight for his country and successfully run a multi-million dollar company. Most of slashdot, even adult slashdot, cannot claim all three.

      Finally, I really don't know what all the commotion is about, I just logged out of Facebook and tried logging back in with my email address and a bad password; I got the standa

    • Re: (Score:3, Funny)

      by Matt Perry (793115)
      I know! He's just making money for the company hand over fist. Obviously he doesn't know anything about running a company.

      </sarcasm>

  • Could? (Score:1, Insightful)

    by Anonymous Coward

    "Could" be misused? How about "has" and "is"?

  • > that could be misused by spammers to harvest user names and photographs. ...that has been widely used by spammers, collection agencies, the government, terrorists, aliens (from outer space and otherwise), foreign governments and the like to harvest user names, photographs and e-mails for years.

    There. Fixed that for you.

  • by bugs2squash (1132591) on Thursday August 12, 2010 @04:24PM (#33232434)
    The site should go down for maintenance until they fix the issue, and only then brought back online.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      The site should go down for maintenance until they fix the issue, and only then brought back online.

      Good idea. I'm all for bringing it down. Think of how much more productive households, college campuses, and the workplace will be for networks not already blocking facebook access. The increase in productivity would cause a spike in the world economy and take us out of the recession :-)

      • by cosm (1072588)

        The site should go down for maintenance until they fix the issue, and only then brought back online.

        Good idea. I'm all for bringing it down. Think of how much more productive households, college campuses, and the workplace will be for networks not already blocking /. access. The increase in productivity would cause a spike in the world economy and take us out of the recession :-)

        FTFY

  • by SplatMan_DK (1035528) * on Thursday August 12, 2010 @04:26PM (#33232478) Homepage Journal

    This flaw is no longer available on Facebook logon pages.

    In fact it was removed before this story made it to the /. front page.

    It was removed approx. 11 hours after the first public articles about it.

    - Jesper

    • Re: (Score:2, Offtopic)

      +1...if I could.

      Again Slashdot delivers slow, out-of-date news.

      • Re: (Score:3, Insightful)

        by C_Kode (102755)

        In this case, I consider it a good thing.

        • by Khyber (864651)

          Why? Given the shit concerning this site, one would think it would have been better for this knowledge to get out even faster so people would know to drop that site like a hot lava rock.

      • I am currently reading a novel called "Rollback." In the story, Earth received a message from alien life forms on a distant planet in 2010. One of the main characters, a SETI researcher, doesn't find out about it until after the news has been leaked publicly. Her husband breaks it to her: "It's all over the Internet, including Slashdot!" And my reaction was, "What? Slashdot already has it on the frontpage? She must really be the last person to find out!"
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Really? I just went to Facebook, put in my email address and a bad password in, and I see "Login as: [My full name] [my email] Not you? click here". My picture is a blank picture, but it always is because I have all pictures turned off publicly. So, if they've removed the flaw, they've either not deployed it to all their servers yet (possible), or they really did a bad job of removing it.

    • by Anonymous Coward

      I just tested it. Logged out, logged back in with the wrong password.

      Guess what? It shows my name. I've turned off sharing my profile picture but the main article is talking about it scraping names for realistic spam. That is still available.

      Where are you getting your information again?

      • Re: (Score:1, Informative)

        by Anonymous Coward

        I just tested it. Logged out, logged back in with the wrong password.

        Guess what? It shows my name. I've turned off sharing my profile picture but the main article is talking about it scraping names for realistic spam. That is still available.

        Where are you getting your information again?

        Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before. I just tried a friend's email address and wrong password, and it didn't show me any information about him. He has never been logged into Facebook on this machine.

        • by Kelson (129150) * on Thursday August 12, 2010 @04:59PM (#33232964) Homepage Journal

          Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before.

          That does seem to be the case. I just tested it on two browsers, one of which I don't use with Facebook.

          On the browser that I don't use with Facebook, the "Please enter your password" screen did not include a name or picture.

          On the browser that I do use with Facebook, and had just logged out seconds before, my name and photo did appear. However, if I entered someone else's address, the name and photo did not appear. Just for kicks, I tried two email addresses, one of which I know does have an account and one of which I know doesn't. Facebook *did* tell me which one was not associated with an account.

          A spammer isn't going to have your cookies, so they won't get your name and photo. But they can confirm whether you have a Facebook account or not.

    • This flaw is no longer available on Facebook logon pages.

      In fact it was removed before this story made it to the /. front page.

      It was removed approx. 11 hours after the first public articles about it.

      - Jesper

      Sorry Jesper, but you are wrong. I just tried it and the problem HAS NOT been fixed as of 4:47pm EST today.

      • by Kelson (129150) *

        Try clearing your cookies in between (or just use a different browser), or test it with someone else's email address. It only shows your name and photo if you were previously logged on with the same account.

        I'm not sure how wise that is, but it's certainly an improvement over any random person being able to extract the information (assuming, of course, that your name and photo aren't already publicly associated with that email address via other channels).

      • Sorry Jesper, but you are wrong. I just tried it and the problem HAS NOT been fixed as of 4:47pm EST today.

        Fair enough, you tested it and found the flaw alive and kicking.

        Did you flush your browser cache before testing? And did you ensure that you are not getting the page from a proxy server someweher between you and the FB server?

        If you are still getting the flaw (as I can see a number of other users are also reporting) my guess is that:

        1.) They are getting cached results from somewhere
        2.) Facebook has fixed the flaw, but propagating it to their 32.000 servers (literally dude) takes a little time.

        Obvio

    • Slashdot: recent history for nerds, stuff that once mattered.

    • Just tried right before this post with a browser I don't use Facebook on, with a couple email addresses for users from a forum that I admin. It most definitely showed real names for the people, although not pictures. Could be that none of them have pictures. It took 3 failed logins and then a captcha before it showed the name.

  • I noticed this the other day, but I was kind of hoping it only brought that up because I had a cookie and had logged in before... Guess not.
  • Scraping (Score:3, Insightful)

    by wideBlueSkies (618979) * on Thursday August 12, 2010 @04:32PM (#33232558) Journal

    Jeez... you can write a perl script to do the scraping in about 15 minutes.

    Besides the fix for the insecure functions on the page, I certainly hope they are doing IP blocking....

    But what a bunch of PR jumbo... the problem is the result of a bug?? I'd disagree. I've seen the login error page. The function of showing the image and repeating the email address is by design . A horribly insecure design in the context of Facebook's privacy settings setup. But it was a design decision, not a bug.

    At least that's how I see it.

    • Re:Scraping (Score:4, Interesting)

      by RAMMS+EIN (578166) on Thursday August 12, 2010 @05:28PM (#33233264) Homepage Journal

      ``But it was a design decision, not a bug.''

      Also, not telling whether they got the username correct or wrong is security 101.

      This is yet another case of Facebook having done the wrong thing for their users' privacy, and correcting things only to lessen the negative publicity. It's not an accident.

  • by Anonymous Coward

    "Facebook Bug Could Give Spammers Names, Photos"

    Names, Photos?

    A comma was traditionally used in printing headlines in place of "and" because the litho did not usually have an ampersand character with which to save space.

    There is no excuse for this misuse of the comma in the 21st century.

    • by PhxBlue (562201)
      How do you figure it's misuse? It was used in that headline to separate two items on a list. Since there are still a few print-edition papers here and there, it still makes sense to use commas in place of "and" for headlines.
  • by Rooked_One (591287) on Thursday August 12, 2010 @04:47PM (#33232798) Journal
    I deactivated my account log ago, and just checked - it doesn't say a word about who I am. Not sure if anyone else has tried this to actually see if it works.
  • Predicted long ago (Score:4, Interesting)

    by betterunixthanunix (980855) on Thursday August 12, 2010 @05:16PM (#33233156)
    My security engineering text (Anderson, 2nd edition) predicted that social networking websites would become security liabilities because of the amount of personal information they store about their members. That book was published in 2007.

    "We were warned?"
  • Not just the "re-enter password" page. If you enter an email address in the normal facebook search box, facebook will show you the name of the account that uses that email address (though not the photo, if it is blocked).
  • I don't have a facebook account, but I tried a few random emails (pretty much name@gmail.com), and came up with a full name and photo (although more commonly just the full name).

    1. enter email address with 'mashed keys' as password
    2. enter email address with 'mashed keys' as password 2 more times at 'incorrect login' screen
    3. enter captcha
    4. if email address represents a real user, their name (and photo, if it exists) shows up
  • Internet security (Score:4, Insightful)

    by LoudMusic (199347) on Thursday August 12, 2010 @06:38PM (#33233878)

    Q: Is your personal data safe?

    A: [in form of a question] Is it in anyway a part of the internet, including being on your own computer in your own home, which is connected to the internet? If yes, then no.

    Hell, even if I don't have a Facebook account and someone takes a pictures of me and uploads it to Facebook and tags it with my name then the internet knows what I look like. Privacy is a joke.

    On the other hand, perhaps there's a market in creating false identities for people as a false data internet flood. As a business they would sign up for popular social networks with your name and upload a variety of pictures claiming to be you, with routine updates about things you're not actually doing. They could use their client list to 'friend' each other and build a nice false society. If someone on the internet ever posted true or factual information or pictures about you it would be considered less reliable due to the voluminous FUD being provided by the company hired to provide false information, and therefor discarded.

  • I noticed this 'feature' a long time ago when I entered my password wrong. I was a bit concerned at the time and I did think "what sort of idiot thinks of an idea like this"... At least they're fixing it.
  • From TFA:

    "We have technical systems in place to prevent people's names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended," a company spokeswoman said in an e-mail message. "We are already working on a fix and expect to remedy the situation shortly."

    If by "upon login" they mean when a wrong password is entered, I don't understand what the bug is, since the "Is that you?" screen is the intended behavior, not a buggy one. By the way, it only happens if the email address matches the account which was last logged in on the browser, and it forgets it if you wipe the cookies (maybe the "bug" is already fixed?). But even if that page was shown for any email, that's not the only or even the easiest way to get the name and picture matching an email; th

  • Facebook doesn't care about users' privacy. Mark Zuckerburg has already said as much and his opinions on privacy are well known and oft repeated points of public controversy. It follows then that he doesn't much care for security either. In fact, it is likely that Mark is more concerned about competitors and would be rivals getting their hands on "his" data and beating him to the advertising punch than he is about the potential consequences for his users. This episode really shouldn't surprise anyone here o
  • Don't use real names on FB. Online friends will know you by your handle. You can choose your friends and be in control. Basing accounts on email addresses is a good idea but link your FB account to an email that doesn't contain your real name too.
    • > Don't use real names on FB.

      I think it may be a good idea the create an FB account in your real name, but it should be a dummy account, existing just to block "pranksters" from using it.

  • That's not a 'bug'. Its an incredibly bad design decision.

To thine own self be true. (If not that, at least make some money.)

Working...