Facebook Bug Could Give Spammers Names, Photos

angry tapir writes with this excerpt from an IDG report: "Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs. It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special 'Please re-enter your password' page, which includes the Facebook photo and full name of the person associated with the address. A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic."

*Smack Face*

[Monkeedude1212]

Seriously? Who is freaking writing these web pages? It would have been easier to NOT include photo's and names than to build it in there!

Not The Only Problem

[Revotron]

Fixing this alone means nothing. If you search for someone on Facebook it will show you a name and a profile picture. Sure, it requires a facebook account, but that's not too hard to create for somebody with 4,000,000 email addresses.

Re:*Smack Face*

[odies]

I think the summary and story is looking at wrong aspect about it too. Spammers, whatever. You're just one in a million. This is a lot more serious about people that just know your email, but are in more personal contact with you than some spammers. Website owners, forum administrator, people you meet on the internet.. Those who know your email but don't really know your real identity. That's a lot more serious privacy violation.

Need an adult

[dan_sdot]

Ok, we need an adult to start running this company please. Seriously, this Zuckerberg guy is so far out of his league it is laughable.

Could?

[Anonymous Coward]

"Could" be misused? How about "has" and "is"?

Scrambling, my ass...

[bugs2squash]

The site should go down for maintenance until they fix the issue, and only then brought back online.

Re:Not The Only Problem

[TheGratefulNet]

I have no FB account (never will, either!) yet I can do a google cache search AND get 'goodies' on FB users that way.

so, that's yet another hole that needs to be patched.

Re:From TFA

[interkin3tic]

They should probably throw in a logical paradox to make their heads explode or short circuit. Like "It's forbidden to use this picture and name for evil purposes, because people want privacy, even though they put it all up there suggesting they don't want privacy... think about that."

There's only one problem...

"Santa-bot: Nice try. But my head was built with paradox-absorbing crumple-zones"

Scraping

[wideBlueSkies]

Jeez... you can write a perl script to do the scraping in about 15 minutes.

Besides the fix for the insecure functions on the page, I certainly hope they are doing IP blocking....

But what a bunch of PR jumbo... the problem is the result of a bug?? I'd disagree. I've seen the login error page. The function of showing the image and repeating the email address is by design . A horribly insecure design in the context of Facebook's privacy settings setup. But it was a design decision, not a bug.

At least that's how I see it.

Re:This flaw is no longer available

[C_Kode]

In this case, I consider it a good thing.

Re:Not The Only Problem

[natehoy]

This means a lot if you have set your profile to be non-searchable and set your name and/or profile picture to be "visible to friends only".

POTS analogy: This is like going to the effort of getting an "unlisted number", where you aren't supposed to be listed in the phone book and your address is not supposed to be divulged to anyone, then finding out that anyone who happens upon your number and dials it gets a recording that includes your name and address.

Having said that, everything you enter in Facebook should be considered viewable by everyone on the planet. Facebook doesn't exactly have a long and reliable history of protecting the identity of the people who use it. They'd sell you for a nickel. They'd probably send someone to strangle your cat if they thought your angst-ridden posts would generate a few thousand more page views. It's not exactly like this should come as a surprise to anyone, especially those of us who actually use it.

So, as someone mentioned above - this is a very, very serious bug to Facebook. This information should NEVER be given out to anyone... who isn't paying for it.

Re:*Smack Face*

[Abstrackt]

I do some of my banking with ING and they let you select a combination of a picture and phrase that's unique to you, why couldn't Facebook implement the same? All they would need is a stock of pictures for people to choose from and a text field. If you don't see your selected picture and your selected text you'd know you tried logging into the wrong account.

Re:*Smack Face*

[SmlFreshwaterBuffalo]

I wouldn't call that a legitimate reason since that implies, well, legitimacy. Instead, it's simply a possible explanation for how they arrived at their poor choice.

A more secure solution to the problem you pose would be to clear the user name on the "failed login" screen in addition to the password, regardless of which is incorrect. And if anyone wants to argue that having to retype both would be inconvenient, I'll preemptively counter by saying security should not be sacrificed for the sake of convenience.

Re:*Smack Face*

[yenne]

I just tried it. Looks to me like Facebook has a problem with users who enter the wrong e-mail address and can't figure out why their logon isn't working. Hence, the "Not you? Click here." option beside the picture.

It's entirely possible that the idiocy behind the interface design is in an ongoing stupidity arms race with the consumers on the other end.

Re:Not The Only Problem

[Anonymous Coward]

How exactly?

Facebook's configuration is so convoluted. Everything is spread around on different pages and stuff, so annoying. It's very hard to find any particular privacy or profile setting.

Internet security

[LoudMusic]

Q: Is your personal data safe?

A: [in form of a question] Is it in anyway a part of the internet, including being on your own computer in your own home, which is connected to the internet? If yes, then no.

Hell, even if I don't have a Facebook account and someone takes a pictures of me and uploads it to Facebook and tags it with my name then the internet knows what I look like. Privacy is a joke.

On the other hand, perhaps there's a market in creating false identities for people as a false data internet flood. As a business they would sign up for popular social networks with your name and upload a variety of pictures claiming to be you, with routine updates about things you're not actually doing. They could use their client list to 'friend' each other and build a nice false society. If someone on the internet ever posted true or factual information or pictures about you it would be considered less reliable due to the voluminous FUD being provided by the company hired to provide false information, and therefor discarded.

Re:*Smack Face*

[Khyber]

This is why I do not use my name as part of my e-mail address.

This cuts down on that problem considerably.

Re:*Smack Face*

[billcopc]

I don't see what the big fuss is... it's your name. If someone has your email address, they probably have some sense of who you are. If you don't trust them with your real name, then at the very least have some forethought and give them a throwaway email address.

Me, I'm Bill Lambert. My email address is billco@fnarg.com . Says so on my whois records. Big fucking whoop. That's what spamassassin is for.