What's in an e-mail address?

A bug in Facebook's login system allows attackers to match unknown email addresses with users' first and last names, even when they've configured their accounts to make that information private.

The information leak can be exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person behind an anonymous email message. If the address belongs to any one of the 500 million active users on Facebook, the social-networking site will return the full name and picture associated with the account. This works even when the user has set all privacy settings properly. Exploiting the vulnerability is as easy as entering the email address into the Facebook sign-on page, typing a random password and hitting enter.

Over the past few years, Facebook has come under criticism for revealing too much information about its users. The social-networking site has responded by giving users more control over who gets to see select pieces of user information. Evidently, the name-to–email address extraction bug has been overlooked. Analysts expect to see it fixed in short order.

Source: The Register.