Obtaining The Primary Email Address Of Any Facebook User
Jared Sperli stashed this in security
Given only their ID, it was possible to obtain the primary email address of any Facebook user regardless of their privacy settings.
Anyone who has subscribed to a public mailing list knows the problem of members inviting their entire contacts list, including the mailing list, to every new social site and app. This has turned mailing list archives into a Wayback Machine for email notifications. Searching through some old mailing lists I came across a Facebook invitation reminder circa 2010:
Clicking on the link in the email, a sign up page filled in with the list’s address and the name of a person who used the link to sign up for an account was displayed:
The link contained two parameters: “re” and “mid”:
Changing the re parameter did nothing; however, changing parts of the mid parameter resulted in other addresses being displayed. Taking a closer at the parameter, its value was actually a string of values with “G” acting as a delimiter:
59b63a G 5af3107aba69 G 0 G 46
Only the second value was important. The value was an ID associated with the address that the invitation was sent to in hex. A Facebook user’s numerical ID could be put as this value and their primary email address would be displayed. A user’s numerical ID is considered public information and can be obtained from the source of their profile or through the Graph API.
Holy smokes, this is very bad!
Wait, I think it's even easier than that. You simply take their userid and add @facebook.com onto it as they've made all user's primary emails facebook addresses. Voila!
Sure, but @facebook.com email addresses are not considered private.
We know this because the default policy is that anyone can email any Facebook address, unless the recipient has gone in and changed her or his settings.
What's upsetting about the hack Stephen Sclafani uncovered is that Facebook has made private information easily accessible.
Which goes back to the simple and easy to understand mantra: don't give Facebook ANYTHING you don't want eventually broadcast to the whole world.
Huh, were we talking about privacy and Facebook?! Well, I totally agree that we should not give Facebook anything we really want to keep private. "Facebook privacy" = oxymoron.
It always amazes me that people are shocked that Facebook has no real privacy.