Poor Facebook... The bad news just keeps coming.
This week a researcher at Secfence Technologies, Atul Agarwal, found a vulnerability that put the full names, e-mail addresses and photos of Facebook users at risk, even if their privacy controls are set to keep those things private.
If someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special "Please re-enter your password" page, which includes the Facebook photo and full name of the person associated with the address. The feature...could be misused by spammers to get information on Facebook's 500 million users.
Atul Agarwal, who alerted the Full Disclosure mailing list after he found the problem, said spammers with lists of e-mail addresses could extract the full names and photos of the users to whom those e-mail addresses belong, and then use the info to make phishing attacks more attractive. Or, they could use the feature to validate lists of random e-mail addresses they have created, and then use those in phishing attacks.
Facebook is attributing the problem to a recently introduced bug that caused the controls intended to prevent such disclosure to stop working. A spokesperson told PCWorld the company is working on a fix and should have it shortly.