Facebook bug can reveal every users full name and picture

facebook_login

A bug in Facebook's login system reveals your full name and profile picture, no matter how high your privacy settings are set. As spotted by The Register, it's a wonder why no one has noticed this potentially dangerous bug before. The picture and details page at the login has been around for a long time now but word has never gotten out about the security risk it poses.

The bug allows anyone, even those without an account, to enter a persons email address and a random password, revealing the users full name and profile picture. This technique will even reveal accounts that have set their privacy settings to be searchable by friends of friends or nobody. This means every account on Facebook, no matter how secure, can have their basic information and profile picture revealed.

Although the bug might seem harmless, it means anyone can take an email address associated with a Facebook account and reveal your information. This could spell disaster if your email is on a spam mailing list and run through a simple script that checks each email address and gathers information from Facebook.

There isn't much any user can do at the moment, other than wait for Facebook to address the situation and apply a quick fix for the problem.

Report a problem with article
Previous Story

Google-Verizon: It's not as evil as it seems

Next Story

MySpace offers 'sneak peak' at new user homepage

50 Comments

Commenting is disabled on this article.

It isn't really a bug,just to help you identify clearly which account you dealing.You can't do much with that information which left you some choices to rest password.

I actually noticed this one time when I accidentally put my password in wrong and thought the exact same thing: I could put a random email with a random password and get the name and picture.
Facebook and other social networking sites are MAJOR privacy risks nowadays - most people don't even realize it.

Time to delete my account... Facebook really isn't worth it. I laugh at the users killing their eye sight and brain cells playing Farmville, YoVille, Mobsters, etc.

If you really wan't to connect to your friends, just text, email, or call them... (more likely text since some teens haven't made a call on their phone in years... and nobody looks or even sends emails these days besides adults.)

Yakuzing said,
Like if someone gets your phone number they can find you in the phone book.........

Great analogy! By the way, in case people haven't noticed, this 'exploit' no longer works. The Register's article has been updated to reflect this.

Kwanza said,
That's been there for weeks... I never knew it was bug even if I found it kinda weird

Years actually, it's only now just been raised to be a possible security flaw in Facebooks system.

As I posted in the last facebook thread yet my comment seems to have been deleted. I can see friends and non friends walls that are usually hidden just by typing 4 characters in the URL.

Facebook is far from secure

It will only show the email if you use email to try and log in.. so you've not gained any new information there. If you try and log in with username you will only be shown the username and not the email so no new info there either.

While in this circumstance this is unique to Facebook, use of email address for login and recovery purposes is a fundamental flaw in most websites.

Use a lost password recovery form using person X's email address and you can confirm whether or not they are a member. For those sites which do not confirm whether the account exists or not when you attempt recovery, you could always try to sign up using said email address, and if the person is a registered you'll usually be advised that an account with that email address already exists.

For me, this seems far more worrying than your picture and full name being revealed. By this method you can expose membership of political sites, sites of illegal or pornographic nature e.t.c. This could be far more damaging for the end user, and is an issue nobody really seems concerned about.

While this time this is a failing on Facebook's part, it's the end user who risks their name and picture becoming public domain. There's always a risk when using these services, no technology is completely secure or free from designer error.

I guess its not wise decision anyways to use your primary email which everybody knows (specially people at your work) to register for "political sites, sites of illegal or pornographic nature e.t.c. " or even to Facebook.

kInG aLeXo said,
I guess its not wise decision anyways to use your primary email which everybody knows (specially people at your work) to register for "political sites, sites of illegal or pornographic nature e.t.c. " or even to Facebook.

Absolutely, but I don't think 99% of the population will realise this.

Fun time killer if you enjoy stalking random people on the internet.

batman@yahoo.com, aka Agus Hendrawan from Indonesia, I'm watching you!

buckhole said,
Fun time killer if you enjoy stalking random people on the internet.

batman@yahoo.com, aka Agus Hendrawan from Indonesia, I'm watching you!

Lol !

Although many people think this is nothing to worry about, nothing stops someone from writing a peice of code to checklist an huge database of email addresses against facebook logins, they can then target you with spam with your photo and complete name. Are you a bit more concerned now?

imachip said,
Are you a bit more concerned now?

Also not concerned. Spam is spam, I ignore it either way, if it says "Dear Majesty" or "Dear Andrew"

imachip said,
Although many people think this is nothing to worry about, nothing stops someone from writing a peice of code to checklist an huge database of email addresses against facebook logins, they can then target you with spam with your photo and complete name. Are you a bit more concerned now?

no, because i smell spam from miles away, and people generally falling for the spam mails are already falling for it without their picture and username. Dear 100000000000th winner is enough apparently.

treemonster said,
i love how so far all the previous posters are so lax about the use and abuse of their real name and pic on the net

Nop, we are not talking about that and we can't do anything against how facebook shows our picture and real name. We try once but there wasn't many support..

treemonster said,
i love how so far all the previous posters are so lax about the use and abuse of their real name and pic on the net

And what about any well-known person in the world? Everyone knows their full name, knows what they look like, and even know their birthdate, where they live, etc.

You, sir, are rediculous. Quit worrying about your precious name and photo, and start living life.

While I believe Facebook needs to make privacy #1 on their list, this "bug" is a non-issue. I love how some sites and people I know blow things way out of proportion without knowing the details. If people would think, even for a second, they'd realize things are not as serious as they seem.

Its been like that for ages (months?), its not a bug. but it could do with intergrating with the account security option so that it will only show up if a successfull login has been made from that device.

Is this honestly a big deal?????

You put yourself on the internet, you can't expect everything to be secure. Oh no, so someone can see a picture and my name! Who the heck cares? News is so useless often.....

I have experience this 'bug' for the last week without knowing it was a 'bug'. Unless people know one's email, I don't really see it as a potential problem [if you're not that paranoid that people know your full name and a mini-picture of you]

Nice. Every marketing firm now has a name and a picture to associate with their entire spam list, except those fortunate enough not to be associated with a Facebook account, such as my most spammed account.

It's just bad practice to confirm a username anyway. The username is not meant to be secure, but there's no reason to effectively confirm "you got the username right, but not the password."

Facebook just keeps getting better and better.

Singh400 said,
Sorry, I don't see this an issue myself. You need their email address first...

Agree. And as far i know, the full name and picture are public no matter what you choose

Singh400 said,
Sorry, I don't see this an issue myself. You need their email address first...
I don't think many people will consider it a problem on an individual level. However, I do see it to be a problem on a grand scale when considering the spammers and would-be social engineers now have a possible way to get your first and last name to use in emails to lure you into more plausible scams.

"Dear Name" is a lot more convincing than "Dear sir or madame" . People are already being tricked by this stuff. Giving them an unnecessary tool is not exactly helpful.

For instance, now they can infer a lot from your email address combined with your name and picture. Even ignoring the picture, they can now use the address from, say, a university to trick less savvy students into--well--anything in very official looking ways using their real name.

Singh400 said,
Sorry, I don't see this an issue myself. You need their email address first...

Actually, I'm pretty sure emails aren't needed to log in... I don't even use one. All you need is the username. Remember the implementation from a few months ago? Your username leads you to your facebook.com/username page.

Pickypg I see your point and frankly I agree this is just another way for scammers/spammers to confirm an email address. And hell it could open the doors a bit for those grievers that lurk the net. There will be those that will take advantage of this and send threatening or loosely threatening emails to strangers. So yes, this needs to be 'patched' - but since when did Facebook ever concern itself on the privacy of its users? And you really don't need an email address - you can guess one, and if you are lucky you basically get two things when you guess correctly: confirmation of a valid email address and a users Real Name or Profile name.

Edited by Alan25, Aug 11 2010, 10:10pm :

Singh400 said,
Sorry, I don't see this an issue myself. You need their email address first...

What if your friends forward you an email? Yours and everybody elses email is now in a giant spam list. These lists are sold underground to spammers. Having someones real name could make phishing your account for you facebook password that much easier.

Not everyone might fall for it, but some people will see Facebook is sending them an email with their real name and associated email account, possibly giving up their password.

You just need to look at this from a bigger perspective, and not "no one knows my email address, i'm fine".

go Figure .. last week this disabled my account cause it old them someone got access using my info and they said i violated the terms .. more or less they just can not make it secure.. idiots.. fix your service.. I was not even at my computer at the time the violation happen its so fraustrating

djstar8 said,
go Figure .. last week this disabled my account cause it old them someone got access using my info and they said i violated the terms .. more or less they just can not make it secure.. idiots.. fix your service.. I was not even at my computer at the time the violation happen its so fraustrating

It is secure, your password must be your first name, or 1234 or something. Use common sense. They sell it at the 99 cent store.

djstar8 said,
go Figure .. last week this disabled my account cause it old them someone got access using my info and they said i violated the terms .. more or less they just can not make it secure.. idiots.. fix your service.. I was not even at my computer at the time the violation happen its so fraustrating

Accounts don't get hacked. You either gave your password away or you got keylogged.

I was going to say can't they just search your name and have it come up, apparently you can change settings to hide yourself from that.