Facebook has another data protection problem on his hands. A security researcher shared a video with Vice, Ars Technica, and others showing how a tool can match email addresses Facebook Profiles in bulk – even if users chose to hide their email information from the public. According to the original source, they reported the front-end security flaw that is abusing the tool Facebook, but apparently it was said the company would take no action against it.
In a statement sent to Publications, the social network said it was “accidentally closed [the] Bug Bounty Report [for the vulnerability] before forwarding it to the appropriate team. “We are now” taking our first steps to resolve this issue “.
Alon Gal, co-founder of cybercrime intelligence company Hudson Rock, tweeted about the tool along with a copy of the video. Technologist Ashkan Soltani also tweeted a transcript of the original video, in which the source talked about how they used the tool to match 5 million addresses Facebook Accounts within a day. They also said the tool is available from hacking groups and that bad actors use it to target site and ad account owners with email access attacks with the aim of taking over their sites and accounts for cash.
Below is a transcript of a video the researcher shared to demonstrate the attack (he asked to remain anonymous).
He states that automated software is available in the hacking community to exploit this vuln, which is used to compromise FB advertising accounts.
More details will follow pic.twitter.com/3P7rc6VyIB
– ashkan soltani (@ ashk4n) April 20, 2021
Facebook I did not say what was already done to prevent the tool from exploiting the vulnerability. Hopefully the necessary steps have been taken to fix the bug as there is a large scale campaign going on to build a huge database for malicious purposes, according to the source. Upon completion, the database will be populated with email data captured using this tool, as well as the personal data of the 533 million Facebook Members affected by a violation were announced last month.