Facebook page administrator names were exposed to the general public after a fault struck the social media platform this week.
Egyptian security researcher Mohamed Baset, founder of cybersecurity firm Seekurity, won $2,500 from Facebook’s bug bounty program after finding a flaw in an invitation to like a Facebook page.
Baset described the bug as a “logical error” in an auto-generated email sent on behalf of a Facebook page.
Researchers who point out flaws in company architectures – commonly known as “white-hat” hackers – have been handed more than $5 million by Facebook since 2011.
In a statement Facebook admitted there was a problem but claimed the bug had been patched.
What you need to do now
- Facebook Page Admins: Nothing, the bug has been fixed and shouldn’t affect your invites or your security
- Facebook users: Make sure you have your privacy settings how you want them
- You can now choose whether your posts are made Public, which means they are searchable by anyone using Facebook, from journalists to employers to the government, or to share with Friends only
- Bug hunters: Start looking today. Facebook has already paid out more than $800,000 in rewards in the past 12 months to security researchers testing their systems
How was the flaw exposed?
The email invited Baset to like a Facebook page on which he’d liked an individual post.Page administrators can click a button that generates these emails automatically.
Their aim is to convert readers into followers.
It’s basically the same as when an occasional reader of a blog is asked to subscribe to a newsletter or an occasional listener to a podcast being asked to join-up to the podcast service.
As the email was unusual Mohamed Baset decided to look at the email in more detail.
He simply opened the ‘show original’ drop down menu option in the email and found that in its non-HTML form the email contained the name of the page administrator and the admin ID who had sent the message.
Because it is such a treasure trove of personal data, including photographs, home and work addresses, and easily-searchable family relationships, Facebook is a goldmine for anyone seeking to do you harm by exposing, stealing or leaking your information.