Leak gave attackers access to hidden email addresses on Facebook
An American researcher discovered a trick to find hidden email addresses on Facebook. The social network has since closed the leak. He worked through URLs on the social network’s mobile site.
The American, Tommy DeVoss, explains in a blog post that the leak was in the way the mobile site constructed the URL for canceling the request to get a ‘page role’ on a Facebook page. Although the interface itself neatly hides the e-mail address with asterisks, the full e-mail address was visible in the url.
An exploit of the vulnerability required a malicious person to set up a Facebook page and invite people with whom he or she does not have a Facebook connection, for example, as “editors” or “administrators” to that page. Then Facebook sent a request to that person. Facebook showed the url with the email address when canceling that request on the mobile page.
Facebook acknowledged the leak and has since patched it. In addition, DeVoss was awarded a $5,000 reward for reporting the leak through the Facebook Bounty Program.