Today I got a little vuln for you. Nothing critical but a privacy hole into Facebook. Nice, isn’t it? We’re dealing with facebook privacy, that’s why this is important. This hint will allow you to know who’s behind any email address.
You want to know the name of the person who’s behind firstname.lastname@example.org. Seems quite hard to find something related to this email. You can at least try to use google or most common reverse identity website:
But let’s brain: most of common people are now on Facebook so let’s have a try. Not using the search function of Facebook but using the reverse function implemented in the reset password page.
What you just need to do is to go on http://www.facebook.com/reset.php, you’ll get this page:
At this point enter the mail you want to reverse, then click the continue button.
There you are, you just reversed the mail.
As you can see, Facebook is displaying you the related name and the profile URL of the mail just entered. We agree this is not a good practice for privacy: anyone can try to reverse mail with the reset password page.
Good point, the page is captcha-protected, which would stop most of the spambot.