Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs.
It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special "Please re-enter your password" page, which includes the Facebook photo and full name of the person associated with the address.
The feature helps people understand if they've mistyped their e-mail address at login, but it could be misused by spammers to get information on Facebook's 500 million users.
A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic, said Atul Agarwal, the researcher who posted a note about the issue (along with a sample script that could harvest names) to the Full Disclosure mailing list on Tuesday.
More: http://www.pcworld.com/article/203112/
It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special "Please re-enter your password" page, which includes the Facebook photo and full name of the person associated with the address.
The feature helps people understand if they've mistyped their e-mail address at login, but it could be misused by spammers to get information on Facebook's 500 million users.
A spammer with an e-mail list could write a script that enters the e-mail addresses into Facebook and then logs the real names. This could help make a phishing attack more realistic, said Atul Agarwal, the researcher who posted a note about the issue (along with a sample script that could harvest names) to the Full Disclosure mailing list on Tuesday.
More: http://www.pcworld.com/article/203112/