Facebook fixed a privacy glitch on its website this week that could have been abused to obtain a user's full name and photo by entering an incorrect password, a researcher said on Wednesday.
When logging into Facebook, if a user's email address was paired up with the wrong password, the site returned an 'incorrect password' message – along with the full name and profile picture of the user associated with the email address that was provided, according to Atul Agarwal of Secfence Technologies in a post he wrote on the Full Disclosure mailing list.
The bug, which existed for an unknown amount of time, could have been abused by phishers or spammers to match unknown email addresses with an individual's name and photo, Agarwal said.
Such capability could be useful for crafting socially engineered phishing attacks that include a user's full name, according to Agarwal. Additionally, someone with malicious intent could have generated a list of random email addresses and utilised the flaw to verify their existence.
“Facebook users have no control over this, as this works even when you have set all privacy settings properly,” Agarwal wrote on Wednesday.
Facebook said the glitch has been fixed, in a statement sent to SCMagazineUS.com on Thursday.
“We have technical systems in place to prevent people's names and profile photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended,” Facebook said in a statement. “We remedied the situation swiftly.”