Facebook loophole reveals users’ names, photos

12 Aug 2010

A loophole has been discovered on Facebook that allows anyone to view a user’s full name and photo, regardless of privacy settings.

The information can be retrieved on the sign in error page if someone gives any correct email address and an incorrect password.

Facebook then returns their full name and profile photo and asks for password again.

The privacy issue was found by Atul Agarwal of Secfence Technologies, who used a PHP script that works with lists of email addresses to aggregate the data.

Agarwal said that the information could be used by phishers to verify if an email account is valid or to find out the real names of the owners of the address.

While the threat of privacy is relatively small, Agarwal feels that it could be another criticism of Facebook’s handling of user’s data.

“Facebook has worked hard to address privacy concerns and it[sic] have no doubt that the company will be closing this loophole soon,” said Agarwal

“But, as the company has taken a beating over its efforts – or lack of – to curb privacy abuse, I can’t wonder whether this is just a loophole that the company missed or if it’s simply taking a reactive stance when it comes to privacy issues – that is, just wait until someone exposes something and then fix it,”

A Facebook spokesperson acknowledged the issue and says that they are working on fixing it.

“We have technical systems in place to prevent people’s names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended,” the spokesperson said.

“We are already working on a fix and expect to remedy the situation shortly. Please note that our Statement of Rights and Responsibilities (http://www.facebook.com/terms.php) dictates who and how public information can be accessed, and we prohibit people from scraping our site.”