New Facebook vulnerability could tie millions of accounts and email addresses together

The company allegedly initially said that the flaw was not important enough to be addressed

A security researcher claims to have discovered a new bug in Facebook that could enable millions of Facebook accounts to be linked with their associated email address - even when the user's privacy settings disallow this.

The anonymous researcher created a video demonstrating a tool called Facebook Email Search v1.0 (FES), which exploits a front-end vulnerability to link Facebook accounts to email addresses. He sent the video to Ars Technica on the condition it not be shared, although the site has created a transcript.

Criminals can input known email addresses into FES, which will then search for the associated account(s). The tool can process up to five million email addresses each day.

The researcher says he spent about $10 to buy 250 newly registered Facebook accounts, as FES requires having an account 'in good standing' to harvest data. He used those accounts to query about 65,000 email addresses.

"And as you can see from the output log here, I'm getting a significant amount of results from them," the researcher says in the video.

"If I have a look at the output file, you can see I have a user ID name and the email address matching the input email addresses, which I have used."

He added, "Now there was an existing vulnerability with Facebook earlier this year, which was patched. This is essentially the exact same vulnerability. And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it."

When Ars Technica contacted the company about the issue, Facebook said, 'It appears that we erroneously closed out this bug bounty report before routing to the appropriate team.

'We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings.'

The company did not respond to a question about whether its bug bounty team dismissed the flaw as unimportant.

A Facebook representative said that the company engineers believed that they had mitigated the leak by disabling the technique shown in the video.

It is currently unknown whether threat actors have exploited the new vulnerability to create a database of Facebook users' email addresses, although the researcher claims they have done so.

In the hot seat

This is just the latest in a string of bad press for Facebook this month.

The report of this vulnerability comes days after a massive data leak from the social media giant, in which more than 500 million users' personal details were released online.

The leak exposed masses of users' personal information, including their full names, phone numbers, gender, date of birth, location, relationship status and email addresses.

Ireland's DPC has opened an inquiry into the leak, which might have breached 'one or more provisions of the EU's General Data Protection Regulation (GDPR) and/or the Data Protection Act 2018'.

Earlier this week, an internal email accidentally sent to a journalist by a Facebook representative also revealed the company's long-term strategy to label data scraping incidents as a 'normalised, broad industry issue' in the future.

'Longer term, though, we expect more scraping incidents and that it's important to both frame this as a broad industry issue and normalise the fact that this activity happens regularly,' the email - dated from 8th April and addressed to the company ' s PR staff in EMEA - reads.