Facebook patches photo and name-scraping flaw

Facebook has dealt with a bug in its login page that potentially exposed user's names and photos to phishers and spammers.

The company said on Tuesday that the hole had been closed, almost a week after it was exposed by a security researcher. "We have technical systems in place to prevent people's names and profile photos from showing to unrelated users upon login, but a recently-introduced bug temporarily prevented these from working as intended," Facebook said in a statement. "We remedied the situation swiftly."

The bug was revealed on the Full Disclosure mailing list on 11 August by security researcher Atul Agarwal, who noticed that entering an email address on the Facebook login page would return the username and photo associated with the address, even without a valid password. The bug was on the login page for an appreciable amount of time, said the researcher.

"Sometime back, I noticed a strange problem with Facebook," said Agarwal. "I had accidentally entered [the] wrong password in Facebook, and it showed my first and last name with profile picture, along with the password incorrect message."

Agarwal wrote a proof-of-concept piece of code which extracted the first and last name of the user when an email address was entered, and made the code available through Full Disclosure. The researcher said an attacker could easily write a program to automate email address testing and scrape photos.

Criminals could have used the Facebook bug to verify lists of email addresses, F-Secure chief research officer Mikko Hypponen told ZDNet UK via Twitter direct message on Wednesday last week.

"I could easily see spammers and even phishers using this," said Hypponen at the time. "They already have the addresses. Now they get the names to go with them."

Facebook had not responded to a request for detailed comment at the time of writing.