Bug bounty hunter details Facebook vulnerability

Share this article:
A Facebook vulnerability that revealed a number of primary email addresses were discovered.
A Facebook vulnerability that revealed a number of primary email addresses were discovered.

Programmer, web developer and bug bounty hunter Roy Castillo discovered a glitch in Facebook late last month that will expose any email address without user interaction – and despite the privacy setting.

Facebook expedited elimination of the vulnerability and Castillo earned $4,500 as part of the Facebook White Hat bug bounty program. A couple of days ago, he outlined in a blog post the steps he took to discover the bug.

The bug is accessed through Facebook's app development tools, where app administrators have the ability to add information for developers. In this instance, the primary email address for any unverified Facebook user would be revealed if added as a developer.

It all begins with collecting a Numerical Facebook user ID, which can be obtained through the Facebook People Directory, Castillo said in his blog post. Insert any Facebook user, despite their privacy settings, into the developer profile page using that ID and an unverified account will display an error message containing the primary email address tied to the account.

Castillo was able to reproduce the result by simply blocking an account, and then by adding more parameters, obtaining a list containing multiple email addresses at once.

Castillo discovered the vulnerability on June 25 and initially reported it to Facebook on June 28. He received an immediate automated response, followed by a human response one hour later. The vulnerability was eliminated less than six hours later and Castillo earned his bounty on July 19.

Share this article:

Sign up to our newsletters

More in News

Report: UK police push for required mobile phone PWs

The Metropolitan Police have reportedly lobbied for two years to enact the standard.

JPMorgan Chase customers targeted in massive phishing campaign

JPMorgan Chase customers targeted in massive phishing campaign

Roughly 500,000 emails have been sent out so far as part of a massive multifaceted phishing campaign targeting customers of JPMorgan Chase.

Study: Organizations lack training, budget to thwart insider threats

Study: Organizations lack training, budget to thwart insider ...

Of the 355 IT and security professionals surveyed, a majority indicated that they were ill-equipped to thwart a possible insider threat.