How to harvest Facebook profiles from emails without logging in

February 6, 2010 By in Uncategorized Leave a comment

Safe
Photo by Squacco

Max Klein recently posted a how-to on connecting a mailing list of users to their Facebook profiles, giving business owners a deep look into their customer's lives. There's one flaw with his technique, you need to be signed in to a Facebook account before you can get the information. The theoretical drawback here that you've clicked through their terms-of-service which prohibit you from these sorts of shenanigans, and thus taint the data if you wanted to sell it on. The practical problem is that Facebook claims to spot account holders doing these sort of bulk uploads, and blocks their accounts.

Recently I was surprised to discover that you don't need to be signed in to an account to search by email addresses and match them to profiles. To my mind this is a nasty hole both because it gives companies legal cover to resell the linked data, and in practice makes it tough for Facebook to crack down on firms siphoning off user data. It's a little bit more complex than Max's original approach, so I'll go through the steps below. I've met a brick wall trying to contact Facebook about previous security issues, so I'm hoping this might persuade them to close it.

1 – Create a free email account, and upload 2,000 of the addresses you want info on as contacts

2- Make sure you're logged out of Facebook, then go to http://www.facebook.com/find-friends/

3 – Enter your email account details, and answer the captcha

4 – Wait a couple of minutes, and you'll see a list of Facebook profiles for your addresses:

Findprofilesblurred
This is the sneaky bit – [Removed temporarily at Facebook's request, until they can get a fix in]

Write a script to handle the contact upload, and to [Removed temporarily] to pull out the IDs, and all you need is some Turks to handle the Captcha to have a fully functioning pipeline. You could easily be processing tens or hundreds of thousands of addresses an hour, and Facebook would have to resort to IP blocking to shut you down. I'll be watching to see how long this hole remains open…

[Update – Facebook got in touch, they've implemented a reporting system for vulnerabilities since the last time I tried to track someone down. It's at www.facebook.com/security, and it sounds like they're paying attention]

Leave a comment