New large-scale leak detected on Facebook
Facebook is still plagued by last year’s leaked phone numbers of 500 million users. The largest social network is now faced with a serious new challenge in ensuring privacy: a tool has appeared that allows you to find out the addresses of Facebook accounts on a massive scale for those users who make email publicly available.
On Tuesday, a video was published. The researcher demonstrated the tool Facebook Email Search 1.0 – it allows you to link Facebook accounts with 5 million email addresses per day. The researcher said he released the information after Facebook said it did not consider the vulnerability it discovered was important enough to need to be fixed.
The journalists of the resource Ars Technica received this video on condition that they will not distribute it. However, in their material, they published a complete transcription of the audio from the video. Media representatives approached Facebook for comment and received a response: “It looks like we mistakenly closed this vulnerability issue before forwarding it to the appropriate team. We appreciate that the researcher shares this information is taking initial steps to combat this problem and will continue to understand the findings better. ”
A Facebook spokesperson did not respond to a question about whether the company told the researcher that it did not consider the vulnerability important enough to pursue a fix. The employee only said that Facebook engineers believe they have already fixed the problem by turning off the option to use the method shown in the video.
The researcher, who prefers to remain anonymous, noted that a vulnerability caused the e-mail search method he identified in the front-end – earlier this year, Facebook had a similar problem, which the company also eventually addressed. “Essentially, this is the same vulnerability,” says the researcher. ” And for some reason, even though I showed the problem to Facebook and let them know about it, they told me bluntly that they would not take any action to fix it. “
It is unclear whether cybercriminals (especially various phishing scammers) used this method – this would not be surprising.