Facebook 'dangerous vulnerability' exposes millions of email addresses

A Facebook vulnerability, which the company allegedly dismissed as not important enough to fix, leaks user email addresses

The anonymous researcher created a video demonstrating a tool that can link Facebook accounts to their email addresses. The tool can process up to five million email addresses per day.

The security expert said they reported the bug to Facebook before going public. They made the Facebook Email Search v1.0 tool and posted the video after the social giant allegedly told them it didn't think the exploit was "important" enough to be fixed. The tool exploited a front-end vulnerability.

In an email about the leak that Facebook accidentally sent to Dutch publication DataNews, the firm instructed public relations staff to "frame this as a broad industry issue and normalize the fact that this activity happens regularly."

Responding to Ars Technica, who viewed the video, a Facebook spokesperson said, "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings."

Facebook didn't respond to Ars' question about whether the company had told the researcher initially that the vulnerability wasn't important enough to fix.

This "mega-leak" comes a month after a dump of phone numbers belonging to 500 million Facebook users. Facebook has 2.8 billion monthly active users, including many using the iOS app on iPhones and iPads.

It's currently unknown whether any malicious actors used the bug to build a database of Facebook users' email addresses. "I believe this to be quite a dangerous vulnerability," said the researcher, "and I would like help in getting this stopped."

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.