According to a recent exposé by security researcher Stephen Sclafani,
the primary email address you submit to Facebook when joining was until recently freely available to spammers and hackers, via a rather glaring flaw in the invitation process. After receiving an invitational email from a friend to join them on the world's largest social networking site, savvy users could change part of the invite URL to reveal that person’s email address. The URL contained two parameters, “re” and “mid,” and by changing the latter, the user’s email address was open to exploitation.
This practise would have only exposed the email address of the person
if they had sent an invitation in the first place. However, The Hacker News reports
that the security flaw has more significant consequences when combined
with easy access to the Facebook People Directory and the Numerical
Facebook ID database via Graph API. With each users numerical ID in
hand, they could have then used this information to modify the initial
email invite URL, revealing the personal email addresses of each user.
In short, they would have theoretically been able to download and store
the email addresses of Facebook’s one billion users, and then use this
information to send targeted spam emails, install malware, or worse.
Rather than exploit this gaping hole in the social network’s defences,
Stephen Sclafani reported the issue to the Facebook Security Team on
March 22nd. After being notified of the issue, they were able to mend
the chink in their armour within 24 hours of the issue coming to light.
Facebook also rewarded Sclafani with a prize of $3,500 as part of their
Bug Bounty program, a relatively small sum, considering what was at
stake.
If you have concerns about your online security, you can strengthen your internet connection by using a VPN service. The VPN works
as an additional layer of protection between the data stored on your
device and any external groups attempting to access it.
