A tool lets a user see which email address is linked to a Facebook account even if the Facebook user didn’t publicly advertise their address, according to a video sent to various researchers and Motherboard.
The news presents another significant privacy issue for Facebook, which is continuing to face a series of data leaks around phone numbers and other data.
“It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings,” a Facebook spokesperson told Motherboard.
Do you work at Facebook, or know about another data breach? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected].
“I believe this is quite a dangerous vulnerability and I would like help in getting this stopped,” a person who says they are trying to get Facebook to fix the issue says in the video. Motherboard obtained a copy of the video but did not speak to the person who made it.
On Tuesday, technologist Ashkan Soltani and Alon Gal, co-founder and CTO of cybersecurity intelligence firm Hudson Rock, both tweeted some details around the tool. Gal uploaded a video to YouTube which allegedly showed the tool in action gathering email addresses linked to Facebook accounts. Soltani posted a transcript of the video that the person who is trying to highlight the vulnerability made.
Soltani shared a copy of the video with Motherboard. In the clip, the narrator appears to demo the tool to grind through a number of email addresses and see which Facebook account they correspond to.
“I’m querying 65,000 email addresses. And as you can see from the output log here, I’m getting a significant amount of results from them,” the person in the video says.
The person claims in the video that the tool is available at the moment within the hacking community. The person claimed they informed Facebook of the issue, which said the company would not be addressing it.
“This is not only a huge privacy breach, but this will result in a new, another large data dump,” the person added in the video. They said someone could also append this email data to previously disclosed phone numbers too.
Subscribe to our cybersecurity podcast CYBER, here.