Facebook Bug Could Give Spammers Names, Photos 145
Posted
by
timothy
from the who-am-I-again? dept.
from the who-am-I-again? dept.
angry tapir writes with this excerpt from an IDG report: "Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs. It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special 'Please re-enter your password' page, which includes the Facebook photo and full name of the person associated with the address. A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic."
Re:Not The Only Problem (Score:4, Informative)
This flaw is no longer available (Score:5, Informative)
This flaw is no longer available on Facebook logon pages.
In fact it was removed before this story made it to the /. front page.
It was removed approx. 11 hours after the first public articles about it.
- Jesper
Re:Not The Only Problem (Score:5, Informative)
Re:*Smack Face* (Score:1, Informative)
It would have been easier to NOT include photo's and names than to build it in there!
Dude, please learn when to use an apostrophe [angryflower.com]. We have lots of non-native English speakers here, and they may assume that your use of language is educated, seeing as how this is a nerd site and all.
Moderators, please mod me down, I'm offtopic. Thx.
Re:This flaw is STILL available (Score:1, Informative)
I just tested it. Logged out, logged back in with the wrong password.
Guess what? It shows my name. I've turned off sharing my profile picture but the main article is talking about it scraping names for realistic spam. That is still available.
Where are you getting your information again?
Re:This flaw is STILL available (Score:1, Informative)
I just tested it. Logged out, logged back in with the wrong password.
Guess what? It shows my name. I've turned off sharing my profile picture but the main article is talking about it scraping names for realistic spam. That is still available.
Where are you getting your information again?
Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before. I just tried a friend's email address and wrong password, and it didn't show me any information about him. He has never been logged into Facebook on this machine.
Re:*Smack Face* (Score:2, Informative)
It is a bad habit I have. I'll write a sentence, then I'll read it over, and decide to change the structure entirely, then re-read it a bit to make sure it makes sense, then put it up there without looking too much at grammar.
So if I had said something like "The photo's location" but then decided the location part is irrelevant and I could just work it around to just say "the photos" then I do so, but its all cut copy paste delete so the apostrophe reamins in place. Makes errors and I apologize.
I also tend to form a lot of run on sentences or use too many commas, like that first sentence up there. I left it as is so you can see my general though pattern. Normally I would go back and work my sentences into something with a little more sensible flow and pace. I have found that I abuse a hyphen quite frequently - as if putting it there makes it seem like a quick pause without needing to use a comma, which is terrible I know.
Return vs. Fresh Login (Score:5, Informative)
Maybe it relies on a cookie or something, and it only shows that to you because you've been logged in before.
That does seem to be the case. I just tested it on two browsers, one of which I don't use with Facebook.
On the browser that I don't use with Facebook, the "Please enter your password" screen did not include a name or picture.
On the browser that I do use with Facebook, and had just logged out seconds before, my name and photo did appear. However, if I entered someone else's address, the name and photo did not appear. Just for kicks, I tried two email addresses, one of which I know does have an account and one of which I know doesn't. Facebook *did* tell me which one was not associated with an account.
A spammer isn't going to have your cookies, so they won't get your name and photo. But they can confirm whether you have a Facebook account or not.
Re:Not The Only Problem (Score:3, Informative)
Only if 'Search for me on Facebook' is set to 'Everyone'
http://www.facebook.com/settings/?tab=privacy§ion=basic [facebook.com]
Re:Need an adult (Score:2, Informative)
Ageist much? Do you really think that a CEO like Zuckerberg wrote, demanded or even approved something as simple as a "spice up the login error page" project?
Anyway, the guy is 26. He can buy booze, fight for his country and successfully run a multi-million dollar company. Most of slashdot, even adult slashdot, cannot claim all three.
Finally, I really don't know what all the commotion is about, I just logged out of Facebook and tried logging back in with my email address and a bad password; I got the standard "bad email or password" error.
Re:It knew who I was (Score:2, Informative)
Almost certainly some brain dead acquaintance of yours knows both your email addresses, had them in their email address book under your name and allowed Facebook to rifle through it when they signed up.