Facebook has another privacy issue in its hands. A security researcher shared a video with Vice, Ars Technica and others, showing how a tool can match email addresses to Facebook profiles in bulk — even if the users chose to keep their email details hidden from the public. According to the original source, they reported the front-end vulnerability that the tool exploits to Facebook but was apparently told that the company wouldn't be taking action against it.
In a statement sent to the publications, the social network said that it "erroneously closed out [the] bug bounty report [for the vulnerability] before routing to the appropriate team." It's now "taking initial actions to mitigate this issue."
Alon Gal, the co-founder of cybercrime intelligence firm Hudson Rock, tweeted about the tool along with a copy of the video. Technologist Ashkan Soltani also tweeted a transcript of the original video, wherein the source talked about how they were able to use the tool to match 5 million addresses to Facebook accounts within a day. They also said that the tool is available in hacking groups and that bad actors are using it to target Page and advertising account owners with mail access attacks with the purpose of taking over their Pages and accounts for monetary gain.
Facebook didn't say what it has already done to prevent the tool from exploiting the vulnerability. Hopefully, it has taken the steps needed to patch the flaw, because the source said there's a large-scale campaign to create one massive database for malicious purposes. The database, if completed, will be populated with email data gathered using this tool and the personal details of the 533 million Facebook members who were affected by a breach that was revealed last month.
Below is transcript from a video the researcher shared to demo the attack (he asked to remain anonymous).— ashkan soltani (@ashk4n) April 20, 2021
He states there is automated software available in the hacking community to exploit this vuln which is being used to compromise FB advertiser accounts.
More details to come pic.twitter.com/3P7rc6VyIB