A new vulnerability in Facebook lets attackers know which user profile is linked to an email address




In this last month we have had news of a couple of cases of personal data leaks from Facebook users: first the more than 500 million user phones available on the Internet, and a few days later, the bot available on Telegram that sold phones linked to likes on fanpages.



But how no two without three, yesterday a new case was made public: two cybersecurity researchers from the firm Hudson Rock (Alon gal Y Ashkan soltani) have made public a new vulnerability of this social network ...



... which enables know which email address is behind a certain Facebook profile (even when it is not publicly accessible). It would be enough, it seems, that the privacy setting of the same is any option other than "Only for me".



Even worse, there is already a tool that would be actively exploiting this vulnerability... allowing to carry out tens of millions of checks per day, comparing public email lists and showing which Facebook accounts are linked to them.







Neither Cambridge Analytica nor the rest of the controversies affect Facebook, which makes more money than ever and grows in users






And, according to those same researchers, the data thrown by this tool, available on the Darknet, would already be used to violate the accounts of Facebook advertisers.



Facebook 'missed' correcting the vulnerability



The worst is the vulnerability that allowed this was known for a long time by Facebook, but it was not solved ... because, according to the company's official response,




"We mistakenly closed this bug bounty report before heading to the right team."






Facebook Email Search


Image (censored, to protect personal data) of the tool in action.



Facebook has thanked the Hudson Rock researchers for "sharing this information" and is already "taking initial action to mitigate this problem."



Soltani and Gal learned about this security hole through a 'source' who sent them a video showing how the tool in question worked. In it, an unidentified voice is also heard:




"I am consulting 65,000 email addresses. And as can be seen in the check-out [visible en el vídeo], I'm getting a significant amount of results from them. "



"This is not only a major privacy breach, but it will lead to a new major data breach. [...] I think this is quite a dangerous vulnerability and I would like your help to stop it.