Facebook friends leak without password
Facebook’s recently facing many privacy problems. Recently my friend’s email has been registered on facebook without by someone else, faking his information, luckily he checks that email quite frequency and close that account after 1 day.
At first i don’t know what’s the purpose of creating account using other’s email, but suddenly an email from facebook introducing me to a new friend lead me to a new finding: hacker can use these accounts to find out relationships of the target user.
After that i tried to register using one of my old gmail account, but facebook immediately require verification by connecting to google.
So i tried to register using another domain email, this time surprising we can skip the verification:
After skipping the verification, we just need to navigate to https://www.facebook.com/find-friends/browser/ to see the suggested friends. I checked together with my friends and confirm that the suggested list is quite accurate.
From my guessing, these friends is introduced using contacts/email sync function from the friends’ accounts and email history.
Using this method, a hacker can perform social phishing attacks agains anyone using only email database, no need a pwned password. Here in Vietnam these attacks are quite common, young hacker keep scamming people’s accounts and asking victims’ friends for phone card, there are ones that earned multi-billion VNĐ (100,000s USD) using only that method so this’s very critical.
I contacted Facebook for this issue but one of their security staff responded “the behavior you’ve described is intended functionality” and then no more reply.
So, protect yourself from that intended functionality by adding all your important emails to facebook or keep checking these email regularly and block any facebook register on that account soon before it’s being used to scam your friends/relatives.
