For instance, in Facebook, if you choose to set your email address private and could not be seen by anyone, you expected that FB will left it private.
But this bug in Facebook found by a security researcher threatened the privacy of anyone’s primary email address to be exposed in the wild.
Researcher Stephen Sclafani said, given only an ID of the user, it was possible to obtain the primary email address of any Facebook user regardless of their privacy settings.
Sclafani stumbled on an old mailing list that lets him know the email address of the user who sent the invitation.
“Clicking on the link in the email, a sign up page filled in with the list’s address and the name of a person who used the link to sign up for an account was displayed,” he said.
Not just that, changing some parameter parts of the link “resulted in other addresses being displayed,” he added.
The link above (from mailing list) http://www.facebook.com/r.php?re=245bf2da75118af20d917bdd34babddb&mid=59b63aG5af3107aba69G0G46 had 2 parameters.
Security researcher posted in detailed:
Changing the re parameter did nothing; however, changing parts of the mid parameter resulted in other addresses being displayed. Taking a closer at the parameter, its value was actually a string of values with “G” acting as a delimiter:
59b63a G 5af3107aba69 G 0 G 46
Only the second value was important. The value was an ID associated with the address that the invitation was sent to in hex. A Facebook user’s numerical ID could be put as this value and their primary email address would be displayed. A user’s numerical ID is considered public information and can be obtained from the source of their profile or through the Graph API.
The Facebook privacy bug however was reported last March 22, and was fixed in under 24 hours.
As part of Facebook’s bug bounty program, Sclafani was rewarded for $3,500.