Bug bounty hunter details Facebook vulnerability

Share this article:
A Facebook vulnerability that revealed a number of primary email addresses were discovered.
A Facebook vulnerability that revealed a number of primary email addresses were discovered.

Programmer, web developer and bug bounty hunter Roy Castillo discovered a glitch in Facebook late last month that will expose any email address without user interaction – and despite the privacy setting.

Facebook expedited elimination of the vulnerability and Castillo earned $4,500 as part of the Facebook White Hat bug bounty program. A couple of days ago, he outlined in a blog post the steps he took to discover the bug.

The bug is accessed through Facebook's app development tools, where app administrators have the ability to add information for developers. In this instance, the primary email address for any unverified Facebook user would be revealed if added as a developer.

It all begins with collecting a Numerical Facebook user ID, which can be obtained through the Facebook People Directory, Castillo said in his blog post. Insert any Facebook user, despite their privacy settings, into the developer profile page using that ID and an unverified account will display an error message containing the primary email address tied to the account.

Castillo was able to reproduce the result by simply blocking an account, and then by adding more parameters, obtaining a list containing multiple email addresses at once.

Castillo discovered the vulnerability on June 25 and initially reported it to Facebook on June 28. He received an immediate automated response, followed by a human response one hour later. The vulnerability was eliminated less than six hours later and Castillo earned his bounty on July 19.

Share this article:

Sign up to our newsletters

More in News

DDoS attacks remain up, stronger in Q2, report says

DDoS attacks remain up, stronger in Q2, report ...

Prolexic's second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth.

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.

Black Hat talk on Tor weaknesses canceled

Black Hat organizers say legal counsel for the Software Engineering Institute and Carnegie Mellon University nixed the session.