Facebook fixes bug that spammers could have used

Facebook this week fixed a privacy glitch on its website that could have been abused to obtain a user's full name and photo by entering an incorrect password, a researcher said Wednesday.

When logging into Facebook, if a user's email address was paired up with the wrong password, the site returned an “incorrect password” message – along with the full name and profile picture of the user associated with the email address that was provided, Atul Agarwal of Secfence Technologies wrote in a post on the Full Disclosure mailing list.

The bug, which existed for an unknown amount of time, could have been abused by phishers or spammers to match unknown email addresses with an individual's name and photo, Agarwal said.

Such capability could be useful for crafting socially engineered phishing attacks that include a user's full name, according to Agarwal. Additionally, someone with malicious intent could have generated a list of random email addresses and utilized the flaw to verify their existence.

“Facebook users have no control over this, as this works even when you have set all privacy settings properly,” Agarwal wrote on Wednesday.

Facebook, in a statement sent to SCMagazineUS.com on Thursday, said the glitch has been fixed.

“We have technical systems in place to prevent people's names and profile photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended,” Facebook said in a statement. “We remedied the situation swiftly.”