Six Hours, $4500: The Short Life and Quick Death Of A Facebook Bug

A security researcher based in Indonesia disclosed yet another Facebook bug this weekend – one that would allow an attacker to obtain the primary e-mail address associated with any Facebook account.

Hours after informing the social network about the bug, however, it was closed and the researcher, Roy Castillo, was $4,500 richer.

Castillo, a white hat vulnerability researcher based in The Philippines, disclosed the bug in Facebook’s Developer Application Roles Page in a post on his blog on Saturday.  When exploited, it allowed an attacker to discover the primary Facebook email address of any account – even those with the email privacy setting on “Only Me,” Castillo wrote.

Facebook Email Dump
This screenshot shows email accounts associated with Facebook user IDs. (Image courtesy of Roy Castillo.)


Attackers would need a Facebook Developer account and some basic programming knowledge to take advantage of the vulnerability, in which Facebook mistakenly disclosed the e-mail address associated with a unique Facebook user ID.

After discovering the buy on June 25th, Castillo reported it on the 28th. It was fixed some six hours later. Castillo received his bounty: a $4,500 Visa pre-paid card on July 19th.

The bug is just the latest to be discovered by a vulnerability researcher working outside the company. In June, Facebook was forced to warn customers about a serious information disclosure vulnerability stemming from the company’s aggregation of user- and non-user contact information. The so-called “Ghost Profile” problem would have allowed Facebook users to access non-public information about any of their contacts, even if those individuals were not Facebook users. that had been discovered as part of the  disclosed this week, but you’d be forgiven if you didn’t get a chance to check it out. Facebook fixed

Comments are closed.