1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Facebook Hack Revealed Any User's Private Email Address

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, Dec 30, 2016.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    877
    Likes Received:
    3,311
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    A Facebook bug bounty hunter recently discovered a serious security vulnerability that allowed him to view the private email address of every Facebook user.

    The security researcher, Tommy DeVoss, discovered the bug on Thanksgiving Day and reported it to Facebook. After going back and forth with the site for several weeks, he was finally awarded $5,000. through the site’s Bug Bounty program.

    The security flaw stemmed from the Facebook Groups tool that allowed admins to invite any Facebook member to take on an admin role.

    These admin invitations were sent to the recipients' private email addresses, and DeVoss discovered that when he canceled pending invitations, he was taken to a page where he could view the full email addresses of the people he'd invited.

    As DeVoss pointed out, this hole in Facebook's security could’ve caused massive problems for the site.

    "The hack allowed me to harvest as many e-mail addresses as I wanted from anybody on Facebook. It didn't matter how private you thought your e-mail address was - I could have grabbed it", DeVoss said.

    "Harvesting email addresses this way contradicts Facebook's privacy policy and could lead to targeted phishing attempts or other malicious purposes."

    It's heartening that so many security researchers do the right thing and report these hacks when they find them. However, some don't, and that's always the concern with giving Facebook so much of your personal information.

    https://threatpost.com/clever-facebook-hack-reveals-private-email-address-of-any-user/122723/

    http://facecrooks.com/Internet-Safe...vealed-Any-User’s-Private-Email-Address.html/
     
  2. asap1

    asap1 BANNED BANNED

    Joined:
    Mar 25, 2013
    Messages:
    4,961
    Likes Received:
    3,185
    Cool. :cool:
     
  3. mynameisfrankenstein

    mynameisfrankenstein Regular Member

    Joined:
    Apr 2, 2015
    Messages:
    431
    Likes Received:
    344
    Gender:
    Male
    Location:
    BC, Canada
    Haha 5 grand... imagine how much some blackhatters would pay for that incredible bug.
     
  4. WORK@HOME

    [email protected] Senior Member

    Joined:
    Apr 25, 2013
    Messages:
    924
    Likes Received:
    404
    Location:
    Right Here
    I'm sure many people gathered a lot of data this way.
     
  5. hippo123

    hippo123 Jr. VIP Jr. VIP

    Joined:
    Mar 9, 2016
    Messages:
    1,833
    Likes Received:
    400
    He could have sold it for way more.........
     
  6. mynameisfrankenstein

    mynameisfrankenstein Regular Member

    Joined:
    Apr 2, 2015
    Messages:
    431
    Likes Received:
    344
    Gender:
    Male
    Location:
    BC, Canada
    He could have been making himself the most ultra targeted email lists ever.

    Especially on profiles public with their likes. It's amazing the potential...
     
  7. socialbulkmarket

    socialbulkmarket Junior Member

    Joined:
    Jul 21, 2015
    Messages:
    111
    Likes Received:
    13
    Home Page:
    wow that is great!! lol
     
  8. terrycody

    terrycody Supreme Member

    Joined:
    Sep 29, 2012
    Messages:
    1,458
    Likes Received:
    400
    Occupation:
    marketer
    Location:
    Hell
    Nice read and indeed a white hacker.
     
  9. zahnspange

    zahnspange Newbie

    Joined:
    Oct 26, 2016
    Messages:
    15
    Likes Received:
    10
    5k is an insult.
     
    • Thanks Thanks x 3
  10. tb303

    tb303 Power Member

    Joined:
    Dec 18, 2011
    Messages:
    770
    Likes Received:
    448
    I'll make a prediction for 2017...The year of the Great Facebook Hack.
     
  11. KaceyNB

    KaceyNB Newbie

    Joined:
    Nov 10, 2016
    Messages:
    24
    Likes Received:
    4
    Occupation:
    Student
    Location:
    London
    People on here would have paid so much more for that..
     
  12. troin

    troin Junior Member

    Joined:
    Jun 8, 2016
    Messages:
    155
    Likes Received:
    130
    Location:
    Europe
    These kind of people are very stupid. They do stupid things for fame and shitty 5k.
     
    • Thanks Thanks x 1
  13. mynameisfrankenstein

    mynameisfrankenstein Regular Member

    Joined:
    Apr 2, 2015
    Messages:
    431
    Likes Received:
    344
    Gender:
    Male
    Location:
    BC, Canada
    Plus the majority are using their 100% real emails with Facebook! No bullshit emails. You have the perfect direct line to anyone famous or whatever. Can find out what agencies are managing what pages, etc.

    This guy is a huge clown.
     
  14. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    877
    Likes Received:
    3,311
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    More about FB from "Facecrooks"...

    Facebook Is Buying Your Private Data From Third-Party Brokers

    Most savvy Facebook users understand that the social media giant traffics in our data. The things you tell the site help it target advertising to you, and thus make more money. However, according to a bombshell report from ProPublica this week, Facebook is also buying your private data from third-party brokers. The information it buys includes financial data like your income, credit card usage, and even what kind of restaurants you like to frequent.

    Facebook has admitted that it obtains user data “from a few different sources,” though the vast majority of users don’t understand exactly what that means. According to the report, Facebook gathers “detailed dossiers” from third-party data brokers on users’ offline lives. The site says that it doesn’t fully disclose this to users because all of that information is already available — but that excuse doesn’t pass muster with some experts.

    "They are not being honest," Jeffrey Chester, executive director of the Center for Digital Democracy, told ProPublica. "Facebook is bundling a dozen different data companies to target an individual customer, and an individual should have access to that bundle as well."

    Facebook can't get its hands on enough data, so it's not surprising that it actually purchases more of our private info. But it's still troubling that the site seemingly tries to hide that fact from users.

    from propublica...



    “Our approach to controls for third-party categories is somewhat different than our approach for Facebook-specific categories,” said Steve Satterfield, a Facebook manager of privacy and public policy. “This is because the data providers we work with generally make their categories available across many different ad platforms, not just on Facebook.”

    Satterfield said users who don’t want that information to be available to Facebook should contact the data brokers directly. He said users can visit a page in Facebook’s help center, which provides links to the opt-outs for six data brokers that sell personal data to Facebook.

    Limiting commercial data brokers’ distribution of your personal information is no simple matter. For instance, opting out of Oracle’s Datalogix, which provides about 350 types of data to Facebook according to our analysis, requires “sending a written request, along with a copy of government-issued identification” in postal mail to Oracle’s chief privacy officer.

    Users can ask data brokers to show them the information stored about them. But that can also be complicated. One Facebook broker, Acxiom, requires people to send the last four digits of their social security number to obtain their data. Facebook changes its providers from time to time so members would have to regularly visit the help center page to protect their privacy.

    One of us actually tried to do what Facebook suggests. While writing a book about privacy in 2013, reporter Julia Angwin tried to opt out from as many data brokers as she could. Of the 92 brokers she identified that accepted opt-outs, 65 of them required her to submit a form of identification such as a driver’s license. In the end, she could not remove her data from the majority of providers.

    ProPublica’s experiment to gather Facebook’s ad categories from readers was part of our Black Box series, which explores the power of algorithms in our lives. Facebook uses algorithms not only to determine the news and advertisements that it displays to users, but also to categorize its users in tens of thousands of micro-targetable groups.

    https://m.facebook.com/help/494750870625830
     
    • Thanks Thanks x 1
    Last edited: Dec 31, 2016