When you sign up on Facebook, you have to enter an email address and that email address becomes your primary email address on Facebook.
In a recent disclosure by a Security researcher, Stephen Sclafani - The Social Networking site Facebook was vulnerable to disclosure of primary email address of any Facebook user to hackers and spammers.
The flaw resides in the invitation mechanism of Facebook, using which one can invite his all contacts emails to Facebook for making new account.
As shown in following screenshot, an invitation received on an email, where one need to click the Signup URL:
After clicking that URL, invited user will be redirected to a signup page filled in with the email address and the name of a person who used the link to sign up for an account was displayed:
There are two parameters in this URL, i.e "re" and "mid". According to Stephen changing some part of "mid" parameter can expose the email address of another user.
59b63a G 5af3107aba69 G 0 G 46
He explained that, in above string, "G" acting as a delimiter/separator, where 2nd value after first "G" i.e 5af3107aba69 is the Profile ID of user. Replacing user ID can give expose email ID of any user in Sign Up Page. Attacker can obtain this numerical ID of facebook profile from Graph API.
Using this flaw attacker can extract email address of all facebook profiles for spamming or hacking purpose. Attacker need to just write an automated script/code to grab all email address of billions of facebook users.
Using following steps hacker can write a automated code to grab all emails:
1.) Grab profile links of all facebook users from Facebook People Directory i.e https://www.facebook.com/directory/people/
2.) Collect Numerical Facebook ID for each Profile from facebook Graph API i.e https://graph.facebook.com/mohitkumar.thehackernews, where extracted user ID is 1251386282.
3.) In Next step, using curl or other methods open the modified URL for each profile ie https://www.facebook.com/r.php?re=245bf2da75118af20d917bdd34babddb&mid=59b63aG1251386282G0G46
4.) Filter the email address exposed in the Source code obtained from above step for each profile and store in database.
This way, above vulnerability was able to put every facebook user at Risk, but Stephen's responsible disclosure to Facebook Security team save us. He is rewarded with $3,500 for helping them to patch this flaw.