Monday, June 7, 2010

Facebook's 'Reset Password' page has potential for privacy violation

I'm not happy about the way the password-recovery procedure works on Facebook.
  1. You clear the captcha
  2. You supply the email address associated with your Facebook account
  3. If existent, Facebook displays a Facebook account against that email ID
  4. You confirm the account to receive further instructions on the email ID
  5. Etc.
It's step (3) that I believe has the potential for misuse - like violation of someone's privacy. By returning a Facebook account (avatar, name, and a snippet) upon entering an email address (if existent), Facebook's password-recovery webpage effectively acts as a reverse lookup directory, allowing someone to supply email IDs and obtain two pieces of information:
  1. Whether or not any Facebook account is associated with that email ID
  2. If yes, the avatar, name and a brief snippet of the Facebook account
The following screenshots demonstrate how I was able to obtain the Facebook accounts against two different email addresses (private information has been blurred):


  1. Update (12-Aug-10): Over two months later, someone else has discovered it too (

  2. Update 2 (12-Aug-10): Since the so-called bug was around for at least 2 months (perhaps even more), anyone with malicious intentions and a knowledge of the "bug" must've already pulled the exposed data (one-to-one mapping of email addresses to names, photos and an optional snippet of text)

  3. Rishabh, the uniqueness about the invalid passwd bug was that there was no CAPTCHA. And after retries, CAPTCHA was sent by server, which was also easy to bypass using http proxies.