Atul Agarwal, a security researcher and CEO of Secfence Technologies, “accidentally” discovered that Facebook can be prompted to reveal user names and profile pictures of users who have set privacy settings to conceal this information. Agarwal states issue was discovered when he entered an incorrect password while trying to log into Facebook.
Facebook then returned a user name, profile picture and the registered email address even though the password was incorrect. As a result, a malicious user could discover the Facebook names associated with authentic email addresses. Argarwal stated this exploit works even if all privacy settings are set correctly and makes harvesting data very easy.
Automated corrections are often helpful, but there is great potential for misuse in the wrong hands.
This failure on Facebook’s part can also make phishing attempts more successful. Furthermore, the ability to create a list of valid email addresses could prove to be a treasure trove for spammers.
Facebook states that they are investigating the issue.