Full Disclosure mailing list archives
Facebook name + photo extraction using 'Forgot Password' page
From: Rishabh Singla <rishabhsingla () rishabhsingla com>
Date: Thu, 12 Aug 2010 13:36:34 +0530
Hi everyone, This is with reference to the post by Mr. Atul Agarwal dated 11-Aug-10, and posted here (http://seclists.org/fulldisclosure/2010/Aug/130), in which Mr. Atul describes how a spammer might enter email addresses and extract the names (and photos) from Facebook accounts registered against those email IDs. Mr. Atul also mentions that this technique can be used to *validate*email addresses in one's possession. Would like to point out that another way to harness this information is through Facebook's "Forgot your password?" page (located at http://www.facebook.com/reset.php). By entering an email address on this webpage, a user's name, a photo and possibly a snippet of text is displayed (assuming a Facebook user exists against this email ID). I came across this on 6-Jun-10, and posted the same on my blog on 7-Jun-10. You might want to read the details on my blog ( http://blog.rishabhsingla.com/2010/06/facebooks-reset-password-page-has.html ). Rishabh Singla http://blog.rishabhsingla.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Facebook name + photo extraction using 'Forgot Password' page Rishabh Singla (Aug 12)
- Re: Facebook name + photo extraction using 'Forgot Password' page Javier Bassi (Aug 12)