A Facebook bug bounty hunter recently discovered a serious security vulnerability that allowed him to view the private email address of every Facebook user.
The security researcher, Tommy DeVoss, discovered the bug on Thanksgiving Day and reported it to Facebook. After going back and forth with the site for several weeks, he was finally awarded $5,000 through the site’s Bug Bounty program.
The security flaw stemmed from the Facebook Groups tool that allowed admins to invite any Facebook member to take on an admin role. These admin invitations were sent to the recipients’ private email addresses, and DeVoss discovered that when he canceled pending invitations, he was taken to a page where he could view the full email addresses of the people he’d invited.
As DeVoss pointed out, this hole in Facebook’s security could’ve caused massive problems for the site.
It’s heartening that so many security researchers do the right thing and report these hacks when they find them. However, some don’t, and that’s always the concern with giving Facebook so much of your personal information.