Yet another vulnerability has been discovered in Facebook that allows a user to view which email addresses are linked to Facebook users’ accounts even if they have not publicly disclosed them, according to a video sent to various researchers and Motherboard.
Technologist Ashkan Soltani also posted a transcript of the video, wherein the person who made the video claims the tool abuses an active front-end vulnerability in Facebook. The narrator also told that the tool is currently available “within the hacking community” and can be used to match 5 million email addresses to Facebook accounts within a day.
“I’m querying 65,000 email addresses. And as you can see from the output log here, I’m getting a significant amount of results from them,” the person in the video says.
He further noted that someone could also append this email data with phone numbers leaked in the previous data breach. “This is not only a huge privacy breach, but this will result in a new, another large data dump,” the person added. “I believe this is quite a dangerous vulnerability and I would like help in getting this stopped.”
The person also claims to have informed Facebook of the alleged tool, who apparently told him they wouldn’t fix the issue citing it as a minor thing.
“It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings,” a Facebook spokesperson told Motherboard.
Currently, it is unclear how Facebook plans to tackle this issue, as it could be easily exploited by hackers and scammers. The news of the new tool comes shortly after a user had recently dumped the personal information of 533 million Facebook users on a hacking forum.