Earlier this month, a user dumped personal details of over 530 million Facebook users on a hacking forum, following which the company acknowledged the vulnerability but said it will not notify users affected in the breach.
While Facebook said it had fixed the previous vulnerability that allowed hackers to scrape data off the social media platform, a security researcher has discovered another vulnerability allowing hackers to scrape email addresses from Facebook. In a video shared with Motherboard, the person notes that the tool used to exploit the vulnerability can scrape email addresses if the user has set their privacy to anything other than the 'Only Me' option. Furthermore, the person also noted that the vulnerability was already reported to Facebook but they did not fix it.
Facebook, in response, tried to pass it off as a minor incident but also noted that the vulnerability is still not fixed:
It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings.
Security researcher and CTO of cybersecurity intelligence firm Hudson Rock, Alon Gal shared more information about the vulnerability including a proof-of-concept video showing email addresses being scraped from Facebook.
The person who shared the video with Motherboard asked to remain anonymous but confirmed that the tool is available in the hacking community. He further noted that someone could append these email addresses with phone numbers leaked in the last data breach. This could be a significant blow to the Facebook users as the data could prove valuable to a variety of actors ranging from hackers to telemarketers and scammers.