My name has recently been added to the âFacebook Whitehat (http://www.facebook.com/whitehat)â page among the other security researchers that have reported security issues to Facebook directly. I have also received a very good reward for this; it took them several months to investigate my request, but it was worth it.
I am writing about it here to say you do not always need to know how to code or have ninja skills to find the bugs like this; I want to encourage everyone to participate in security bug bounty programs to help the companies to be more secure and earn money at the same time!
After all, here are the details (this bug has already been patched by Facebook):
Title of reported issue: âHow to find unsearchable people by their emails in Facebookâ
In order to search someone -even if they made themselves unsearchable with hidden emails- by their email addresses, it was possible to do the following steps:
1- Login into your Facebook account (you need to have an activated account with a verified email).
2- Open the following page: https://www.facebook.com/ads/manage/settings.php
3- Now under the âPermissionsâ section, click on âAdd a Userâ.
4- Enter the email address that you are looking for in the box and click on âAddâ and wait to see the response (it is better to choose âReports Onlyâ instead of âGeneral Userâ). If you have not received âInvalid Userâ error, it means you were successful.
5- Now after refreshing the page, you should be able to see the requested user under the âPermissionsâ area.
6- If you click on the userâs name, you should be able to see his/her public profile.
By using this method, you could be able to find First Name, Last Name, and Facebook User ID of the user just by having his/her email address.
Recommendation to the users:
– It is always better to use a private email address in social networking websites if you really want to be unsearchable.
Recommendation to the Developers in similar situation:
– If there is any policy in the application, it should apply to all different parts of it. I suggest using the shared secure libraries that meet the requirements is one of the best options.