Facebook Bug Could Give Spammers Names, Photos 145
Posted
by
timothy
from the who-am-I-again? dept.
from the who-am-I-again? dept.
angry tapir writes with this excerpt from an IDG report: "Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs. It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special 'Please re-enter your password' page, which includes the Facebook photo and full name of the person associated with the address. A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic."
Re:Not The Only Problem (Score:3, Interesting)
The word AND is not in short supply (Score:1, Interesting)
"Facebook Bug Could Give Spammers Names, Photos"
Names, Photos?
A comma was traditionally used in printing headlines in place of "and" because the litho did not usually have an ampersand character with which to save space.
There is no excuse for this misuse of the comma in the 21st century.
Re:*Smack Face* (Score:2, Interesting)
I'm not defending their choices, but there is a legitimate reason why they would do this. Some users mistype their username, not their password. This results in a "failed login" screen. If there is no photo (or name) they may assume they have mistyped their password, and keep trying it over and over. Throwing up the picture associated with that account helps the user figure out that the reason they can't log in is because they are mistyping their username, not their password.
Re:This flaw is no longer available (Score:3, Interesting)
Really? I just went to Facebook, put in my email address and a bad password in, and I see "Login as: [My full name] [my email] Not you? click here". My picture is a blank picture, but it always is because I have all pictures turned off publicly. So, if they've removed the flaw, they've either not deployed it to all their servers yet (possible), or they really did a bad job of removing it.
Predicted long ago (Score:4, Interesting)
"We were warned?"
Re:Scraping (Score:4, Interesting)
``But it was a design decision, not a bug.''
Also, not telling whether they got the username correct or wrong is security 101.
This is yet another case of Facebook having done the wrong thing for their users' privacy, and correcting things only to lessen the negative publicity. It's not an accident.
Re:*Smack Face* (Score:5, Interesting)
I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address. I've received passwords and various other sensitive data. Sprint was sending me receipts for someone's very large corporate purchases, I kept replying and forwarding them to sprint's customer care and they basically told me they can't do anything about it and to just delete them and not worry about it.
It's also amazing how many sites will not let you unsubscribe without providing some kind of personal info. Seriously? They let you sign up with the wrong address without confirming it, but I can't unsubscribe unless I know the last 4 digits of the guy's SSN?
Re:*Smack Face* (Score:3, Interesting)
I have a "good" gmail address (my full name@gmail.com) and I constantly get e-mail from other people signing up for things who apparently don't know their own e-mail address.
Glad to know I am not the only one. My yahoo email address, which I have used since the mid 90s when they started offering email (back when 9 characters was the maximum name size....) gets the same thing, legitimate "thanks for signing up" from legit companies, where some idiot didn't know their own email address. Ironically, my email address is a real oddball one, so how they would use it is beyond me.
Re:*Smack Face* (Score:5, Interesting)
I had the same problem happen, with some extremely sensitive data coming in.
In addition to somewhat mundane things like airline confirmations, hotel confirmations, etc, there were several letters about legal problems. The person they were trying to reach is apparently the head of an investment group and under investigation by the SEC. I also once received an email containing a bank account number with routing number. Usually it was sent to his (proper) business address and CC'd to my address, which I assume they thought was a personal address for him. When correspondence from lawyers starting coming in I decided it was well past time to start emailing these people and telling them to oh my god please stop. That's a can of worms I just wanted no part of whatsoever.
I did do a quick Google search for the guy; same last name, different first name (same first initial, the combination of which is my email address). Really a problem that shouldn't have happened, especially not that many times from that many different sources.
Re:Predicted long ago (Score:2, Interesting)
"Long ago" being any length of time greater than about 3 years???