Facebook Hack Revealed Any User’s Private Email Address

skeleton_hackerA Facebook bug bounty hunter recently discovered a serious security vulnerability that allowed him to view the private email address of every Facebook user.

The security researcher, Tommy DeVoss, discovered the bug on Thanksgiving Day and reported it to Facebook. After going back and forth with the site for several weeks, he was finally awarded $5,000 through the site’s Bug Bounty program.

The security flaw stemmed from the Facebook Groups tool that allowed admins to invite any Facebook member to take on an admin role. These admin invitations were sent to the recipients’ private email addresses, and DeVoss discovered that when he canceled pending invitations, he was taken to a page where he could view the full email addresses of the people he’d invited.

As DeVoss pointed out, this hole in Facebook’s security could’ve caused massive problems for the site.

“The hack allowed me to harvest as many email addresses as I wanted from anybody on Facebook. It didn’t matter how private you thought your email address was — I could have grabbed it,” DeVoss said. “Harvesting email addresses this way contradicts Facebook’s privacy policy and could lead to targeted phishing attempts or other malicious purposes.”

It’s heartening that so many security researchers do the right thing and report these hacks when they find them. However, some don’t, and that’s always the concern with giving Facebook so much of your personal information.