How to Find Out A Facebook Email Address

How To Find Out A Facebook Email Address - When you sign-up for a social network you expect it to keep its personal privacy guarantees. For example, if you inform the social network not to expose your e-mail address to any other members, you anticipate it to remain private.

How To Find Out A Facebook Email Address

However a security researcher has detailed how he discovered a way to learn * any * Facebook user's main e-mail address, despite their privacy settings, by exploiting a weak point on the social media network.

Security scientist Stephen Sclafani described how he came across the privacy hole while ambling through some old newsletter.

Among the messages he discovered consisted of a Facebook invite pointer e-mail, relatively sent out by mishap when the user made the mistake of following Facebook's guidance to welcome their entire contacts list to the social network:

Exactly what is intriguing is the clickable URL at the bottom of the welcome message.

When Sclafani clicked the link, he was taken to a Facebook sign up page currently filled out with the mailing list's address and the name of the person who used the connect to register for an account:

Sclafani took a more detailed look at the link, and discovered something interesting:

To puts it simply, if you replaced that part of the "mid" specification with the hex worth of a various Facebook users' numerical profile ID, you would be shown their main e-mail address.

Facebook profile IDs aren't secret. You can get them easily via sites like Discover My Facebook ID or from Facebook's own profile directory site.

Undoubtedly, it's possible to picture how somebody interested in grabbing the email address of * every * * single * Facebook user might compose a script to trawl the profile directory site, turn each ID into hex, and after that utilize the customized URL to eventually scoop up each address.

It's simple to envision how a database of such email addresses could be abused.

Luckily, Stephen Sclafani has some principles. And rather than attempt to make a huge splash by publishing information of Facebook's humiliating flaw, he opted to reveal it responsibly to the social network. Sclafani says that Facebook repaired the defect within 24 hours, and rewarded him $3,500 for his efforts under their Bug Bounty program.

Facebook certainly seem grateful that he acted in the method he did, telling me:

Well done to Sclafani for discovering the defect and acting properly. And - although it would have been better if the personal privacy loophole hadn't been there in the very first place - well done to Facebook for repairing it so quickly after being informed.

If you are on Facebook, and wish to be kept updated with news about security and privacy dangers, and tips on How To Find Out A Facebook Email Address, join the Graham Cluley Security News Facebook page.