Facebook loophole reveals names, pictures with sign-on errors

Facebook loophole reveals names, pictures with sign-on errors

Summary: A Facebook privacy loophole exposes a user's full name and profile pic on a login error page when a user types in an e-mail address but has a typo in the password.


It looks like there's yet another little bug that compromises the privacy of Facebook users - all 500 million of them - and it doesn't matter how a user has set the account's privacy settings.

The bug can be found in the error page that comes when a user attempts to sign in but types in the wrong password. The system automatically populates the error page with that user's first and last names, along with the profile picture, and gives the user the chance to re-enter the password.

Now, that's kind of helpful - not can't-live-without-it helpful - but still a nice feature for the user. But what if you type in someone else's e-mail address with the wrong password? Yup, you guessed it: full name and a profile pic for that person.

And to make matters worse, it doesn't even have to be the e-mail address that the person used to register his account. If that address is listed anywhere in the user's profile, it will pop up with the full name and picture. Check out the image of my own error page. My work e-mail address is not the address that I use to sign in to my account but it is listed in my profile.

OK, how big of a deal is this? Well, Atul Agarwal, who exposed this bug on the Secfence Technologies' Full-disclosure blog this week, wrote a PHP script that works with large lists of email addresses to harvest the data. Agarwal wrote:

Facebook users have no control over this, as this works even when you have set all privacy settings properly. Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.

And, no, this isn't some sort of cache thing that populates the field because you've used that particular address before. I went into my own personal contacts list and pulled up the email address of someone random who I knew I was not Facebook friends with. It worked perfectly.

Facebook has worked hard to address privacy concerns and it have no doubt that the company will be closing this loophole soon. But, as the company has taken a beating over its efforts - or lack of - to curb privacy abuse, I can't wonder whether this is just a loophole that the company missed or if it's simply taking a reactive stance when it comes to privacy issues - that is, just wait until someone exposes something and then fix it.

What I'd like to see is Facebook taking some proactive steps to scour the site and look for any and every possible loophone that could compromise privacy - and then close it.

Topics: Social Enterprise, Collaboration, Legal

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Facebook loophole reveals names, pictures with sign-on errors

    All I can say to this is WOW. I had seen this on my own page, but did not think it was a full-fledged bug.

    OK, Facebook ... I think you need to concentrate on privacy before you do another page tweak like you are rumored to be doing on 08/31
  • RE: Facebook loophole reveals names, pictures with sign-on errors

    Does not seem like bug to me, more like a feature. Bad one but nevertheless, someone put effort to give you the picture and mail on the error page. Some developer probably just did not think of the possibility, that you would type in someone else's address deliberately...
  • RE: Facebook loophole reveals names, pictures with sign-on errors

    I saw this too, but just assumed it was from my own cache. I thought to myself, "SURELY they wouldn't expose THIS!". I guess I gave them too much credit.
    Software Architect 1982
    • RE: Facebook loophole reveals names, pictures with sign-on errors

      @Digital Video Expert yeah...suuuure you did! Because of course, Facebook is the ONLY way people can get your name and e-mail! Scale of 1 to 10 security breach-wise, this is a 1.
    • RE: Facebook loophole reveals names, pictures with sign-on errors

      @Software Architect 1982 Thanks for sharing. i really appreciate it that you shared with us such a informative post..
      <a href="http://www.papermoz.com/theses/">Thesis</a> | <a href="http://www.papermoz.com/dissertations/">Dissertation</a> | <a href="http://www.papermoz.com/admission-essay/">Admission Essay</a>
    • RE: Facebook loophole reveals names, pictures with sign-on errors

      @Software Architect 1982 The difference between the right word and the almost right word is really a large matter ??? it's the difference between a lightning bug and the lightning.
      <a href="http://www.papermoz.co.uk/essays/">Essay</a> | <a href="http://www.papermoz.co.uk/assignments/">Assignments</a>
  • maybe I'm missing it here...

    What is this bug? I can search for people by full name and see their profile pictures so I guess I'm confused as to what the issue is.

    Crud, the fact that it doesn't have to be their login e-mail means that you might not even have their login name!
    • RE: Facebook loophole reveals names, pictures with sign-on errors

      @Peter Perry , with search you got people's name and pictures, but not their e-mail addresses. S[pc]ammer get their e-mail addresses, but probably not their name and pictures. This Facebook's "features" allow s[pc]ammer to match the e-mail addresses they got with name and pictures and also to confirm the existence of the e-mail addresses (allows spammer to create a good quality list of e-mail addresses from random e-mail addresses list).
      S P Arif Sahari Wibowo - http://www.arifsaha.com/
  • RE: Facebook loophole reveals names, pictures with sign-on errors

    agree with _aoc. Hope it's sorted out soon.
  • RE: Facebook loophole reveals names, pictures with sign-on errors

    I'm confused; it did work the way it was described when I entered my own email address and an incorrect password, but not for anyone else's (and in my wife's case, I know which email address she uses for facebook.)
  • How about a response to the comments?

    Several people, myself included, have tried this but only received the message with picture, e-mail, and full name when entering their own email or an email from someone who has used that computer to successfully log in to Facebook.

    I also tried using the email of two random people--one I know is on FB with whom I am not FB friends and another who is a FB friend. It didn't work either time.

    It is irresponsible to print and perptuate a story like this that is eithr not true, not completely true, or at least no longer true (if the so-called bug has been fixed).

    The story is all over Twitter, FB, etc. so it is out there and you can't take it back.

    But I am astounded that the "reporters" who are writing about this have not done more due dilligence (trying to find the loophole using one email is not due dilligence, by the way) nor updated their stories to include the information posted in the comments here and elsewhere.

    And reporters wonder why no one trusts them ...
  • RE: Facebook loophole reveals names, pictures with sign-on errors

    One more note: I also got an email from FB alerting me that I was having trouble signing into FB. So I'm assuming those folks whose email addresses I experimented with will get similar alerts.

    AND, how about that zdnet registration process, huh? Holy cow that's a lot of personal information you request just to leave a comment!
  • RE: Facebook loophole reveals names, pictures with sign-on errors

    I have a FB page, and have never had a problem, because I don't put anything on it that I don't want people to know.

    Also, I have seen this error page and have thought nothing of it, so what if it shows my first and last name? Facebook is not the only way to find that simple information.

    And, if your putting in someone else's email with the incorrect password, chances are you already know their full name, and your creepy anyway for trying to get into their FB account.

    I see know security breech here, chill out people.
  • RE: Facebook loophole reveals names, pictures with sign-on errors

    I have tested this with several emails of friends and family and either the "bug" is fixed or it never existed. Story closed.
  • RE: Facebook loophole reveals names, pictures with sign-on errors

    I have 2 accounts, one is mine the other is a fake name that I use to test facebook features. On my actual account, no picture and no name is exposed. On my fake account, the name and the default FB picture are shown. Looks like the issue goes away if you've locked down your privacy settings...if not, you probably don't care.
  • RE: Facebook loophole reveals names, pictures with sign-on errors

    It only works that way if you get close to your password, and have the proper email address. I just tried it with 3 different email address, 2 of which I have no clue what the associated passwords are, and my own which i then used the incorrect password (one number off) and that page popped up, and asked me if it was me and if I wanted to reset my password. So I think this article is making it out to be a bigger deal than it actually is. If you know someone's password down to missing one letter or number or simply mixing up two of the numbers/letters, then that person needs to change his or her password.
    • RE: Facebook loophole reveals names, pictures with sign-on errors

      @steven_t - does this mean facebook keeps your password in plaintext in a database somewhere? Isn't it safer to just keep the hashtext and use that for comparison? How would you know if the password was close otherwise? Even if a letter was off, the hashtext would be completely different.

      Or does Zuckerberg still like to log into other people's accounts and abuse their data? (source: <a href="http://www.businessinsider.com/how-mark-zuckerberg-hacked-into-the-harvard-crimson-2010-3" target="_blank" rel="nofollow">http://www.businessinsider.com/how-mark-zuckerberg-hacked-into-the-harvard-crimson-2010-3</a>)
      • RE: Facebook loophole reveals names, pictures with sign-on errors

        @johnstewie In the EULA, I am sure theres plenty of legality loopholes that I don't even need to look up that would grant any member of Facebook any reason whatsoever to check up on your account. They're a privately owned business, not the government. If they want to go through your "personal messages", they most certainly have the right to do so. Will this make you upset? Sure if you like getting upset over trivial bullshit. What are you hiding anyway?
  • Seriously?

    Is your name and picture really that much of a privacy issue? What should you have to worry about anyway? Its not like its giving up actual personal information.

    You are completely blowing this out of proportion and I cannot believe that you were publish an article on this. Pro tip for anyone worried about this MEANINGLESS security issue: GO OUTSIDE. I am sure that if some stranger came up to you and shook your hand, they would see your face and you'd exchange names.

    Ask yourself... is this really a big deal?
  • RE: Facebook loophole reveals names, pictures with sign-on errors

    As bad as that is, and I myself have seen a rush of fake profiles spamming me. In the end of it all though, the end user is not paying for any service here and any/all information posted to their profile is voluntary to begin with. Its easy to see these loopholes and then badger the company for crappy security and boast about privacy issues. If this was a Bank, College Admins Computer, or something similar, then that would be a real issue. This is such a non issue and in my opinion a waste of writing.