« The Safe Math Library | Main | New cert program for Application Security Specialists »

Facebook Fixes User Email Address Leakage

"Previously, when people typed in a legitimate e-mail address on Facebook's password reset page they got a message either saying that their password had been reset or that an e-mail with instructions on how to reset the password had been sent to their e-mail account, thus providing verification that the e-mail address is legitimate. When a fake e-mail address was typed in they got a message that said "Unregistered Email. The email address you entered has not been registered."

Now, every password typed in gets the same message: "Your password has been reset. An e-mail has been sent to all contact e-mails associated with your account, including (the one typed in)."" - CNET

This is one of those flaws you rarely hear about that have a real impact. The primary reason for gathering this is to perform targeted phishing.

Read more: http://news.cnet.com/8301-1009_3-10205476-83.html?tag=mncol


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

Rarely hear about, but often see.

This can also work against a legit user who has forgotton both his password and the email linked to it.
He wouldn't know which email he registered.
happens with me all the time :(

Narkolayev is real white hacker, he knows what he is doing.