Programmer, web developer and bug bounty hunter Roy Castillo discovered a glitch in Facebook late last month that will expose any email address without user interaction – and despite the privacy setting.
Facebook expedited elimination of the vulnerability and Castillo earned $4,500 as part of the Facebook White Hat bug bounty program. A couple of days ago, he outlined in a blog post the steps he took to discover the bug.
The bug is accessed through Facebook's app development tools, where app administrators have the ability to add information for developers. In this instance, the primary email address for any unverified Facebook user would be revealed if added as a developer.
It all begins with collecting a Numerical Facebook user ID, which can be obtained through the Facebook People Directory, Castillo said in his blog post. Insert any Facebook user, despite their privacy settings, into the developer profile page using that ID and an unverified account will display an error message containing the primary email address tied to the account.
Castillo was able to reproduce the result by simply blocking an account, and then by adding more parameters, obtaining a list containing multiple email addresses at once.
Castillo discovered the vulnerability on June 25 and initially reported it to Facebook on June 28. He received an immediate automated response, followed by a human response one hour later. The vulnerability was eliminated less than six hours later and Castillo earned his bounty on July 19.