Facebook Temporarily Ignored a Bug Report of a Vulnerability Allowing Attackers to Link Emails to Accounts


A security researcher has found a front-end vulnerability in Facebook that allows him to link emails to the user’s account correctly. Facebook initially dismissed the bug report, which forced the researcher to reveal it to publications.

Just a month ago, a database containing millions of entries showed up online. And before that, a bug in a Facebook API allowed attackers to identify phone numbers belonging to Facebook users. Now, the company is going through another significant problem, as a security researcher figured out a way to link email addresses to Facebook accounts. By default, the emails linked to accounts are not publicly accessible.

Because Facebook chose to ignore the bug report, saying that it’s not a real problem, the security researcher decides to make a video in which he demonstrated how an app named Facebook Email Search v1.0 works. In theory, the application could link up to 5 million accounts per day. The researcher shared the video with Ars Technica with the condition that it’s not going to be published.

The demonstration was done on a list of 65,000 email addresses, which the researcher fed into the program.

“As you can see from the output log here, I’m getting a significant amount of results from them,” said the researcher. “I’ve spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts.”

Following the public release of this information, Facebook reconsidered its position and said that it mistakenly dismissed the researcher’s claims and said that it’s working to fix the problem.

“It appears that we erroneously closed out this bug bounty report before routing to the appropriate team,” Facebook said. “We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings.”