Fake messages and chat bug in Facebook

[Matteo Fabbri <matteo () phascode org>]

Knowing the user registration email is possible to send fake messages /
chat to facebook users.
The only thing required is a fake mail with as the sender the victim
registration  email addressed to the facebook ids followed by "@facebook.com
"

Example:

from victim.email () hotmail com to friend1 () facebook com, friend2 () facebook com.
..

Sent email will be shown in Facebook like a private message (or chat if
multiple recipients are specified) sent by the Facebook account of the
victim.

(Previously reported vulnerabilities to Facebook)


Matteo Fabbri

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/