Bug bounty hunter details Facebook vulnerability

Share this article:
A Facebook vulnerability that revealed a number of primary email addresses were discovered.
A Facebook vulnerability that revealed a number of primary email addresses were discovered.

Programmer, web developer and bug bounty hunter Roy Castillo discovered a glitch in Facebook late last month that will expose any email address without user interaction – and despite the privacy setting.

Facebook expedited elimination of the vulnerability and Castillo earned $4,500 as part of the Facebook White Hat bug bounty program. A couple of days ago, he outlined in a blog post the steps he took to discover the bug.

The bug is accessed through Facebook's app development tools, where app administrators have the ability to add information for developers. In this instance, the primary email address for any unverified Facebook user would be revealed if added as a developer.

It all begins with collecting a Numerical Facebook user ID, which can be obtained through the Facebook People Directory, Castillo said in his blog post. Insert any Facebook user, despite their privacy settings, into the developer profile page using that ID and an unverified account will display an error message containing the primary email address tied to the account.

Castillo was able to reproduce the result by simply blocking an account, and then by adding more parameters, obtaining a list containing multiple email addresses at once.

Castillo discovered the vulnerability on June 25 and initially reported it to Facebook on June 28. He received an immediate automated response, followed by a human response one hour later. The vulnerability was eliminated less than six hours later and Castillo earned his bounty on July 19.

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.