As many people may know,
Facebook displays users' email addresses as images rather than plain text. Supposedly, this is to help prevent spamming (though, it seems like you might have bigger issues if your friends are spamming you). In any case, it turns out that these images actually aren't protected by the login process at all. For example,
my email address image should be viewable by anyone. You don't have to be on my friends list and you don't even have to be logged into Facebook at all!
Now, before 40 million people pickup their pitchforks and try to lynch the Facebook developers, realize that this isn't as bad as it might sound at first. The
emailgen.php page requires two parameter (
id and
key) to actually generate the image. The
id parameter is pretty clearly the user's Facebook ID and is pretty trivial to lookup but the
key parameter is a bit more cryptic (and turns out to be fairly secure).
Finding the KeyI was a bit curious as to what that
key value represented. Here's the value from my email link above:
47fe78750d8d158caca8419203fd54bfIt appears to be a 32-character hexadecimal (128-bit) number. Now, it was certainly possible this was simply a randomly generated
GUID that maps back to the real address in their database. If this were the case, though, there would really be no reason to include the
id parameter as part of the call. However,
MD5 checksums also happen to be 128-bits long and hashed values are often used for this sort of thing. Perhaps the
key is simply a hash of some combination of the user's Facebook ID and the email address that will be displayed?
As it turns out, this is exactly what is being done. After trying just a couple combinations, I came up with the following result:
$ echo -n cfbradford@gmail.com668876587 | md5sum
47fe78750d8d158caca8419203fd54bf -Eureka! I just generated the magic
key needed to display my own email address! All I need is a user's Facebook ID and their email address and I can generate the proper
key (and then URL) to display the email address image. And I can do all this without being your friend on Facebook or even being logged in at all!
But Wait...Right about now the clever readers are scratching their heads trying to figure out why this even matters. What I've basically said so far is that "if I know your email address, I can find out your email address". Doesn't seem very exciting, does it?
The even more clever readers, though, are realizing that Facebook is actually giving me
confirmation that I guessed the correct email address. More specifically, I can now essentially ask Facebook "Does user X have email Y registered with you?" and Facebook will essentially respond either "Yes" or "No" rather than just ignoring the question completely.
The less-cryptographically inclined may be wondering if I can reverse the process to get an email address and Facebook ID from the MD5 hash. In general, though, it is impossible to reverse such a hash since information is generally lost in the process.
How is this Useful?Obviously this is only a big deal if it allows people to do something really cool or really scary with this information. Since the same basic functionality should be available in the Friend Finder, though, this probably can't be used to take over the world.
If you have a Facebook account, you should be able to upload an address book with a single email address in it to find if a Facebook user has that email address (and discover their Facebook ID in the process). You don't need to be friends, so pretty much anyone could do this (though I haven't actually tested the process).
To do the same thing with this "trick" would require having a list of all ~40 million (and growing) Facebook IDs, computing hashes based on each possible ID, and then requesting an email image from the Facebook site for each combination. Just computing that many hashes on my computer would take more than a day, and that's just for one email address.
Verdict: Friend Finder is more useful.
In order to "discover" one of these IDs in the first place, you basically have to have access to a Facebook user's page, which means you also know their Facebook ID and could read the image with
OCR software to figure out the email address in an automated way. So, this doesn't really provide any information that a person didn't already have access to.
What it could do, though, is provide alternatives to OCR in certain situations. If you have a small-ish list of possible email addresses you can just calculate the MD5 hash with each candidate until you find a match. As the number of possibilities grows, this becomes slower until OCR would be a better approach. (Depending on the speed and accuracy of the OCR software, this could be 100 or 1,000 possible emails). Even if OCR is used, the hash is still useful as a means to verify the results (if the detected address doesn't properly hash back to the
key, then its not the correct address).
ConclusionDespite the overly dramatic title of this post, I don't see any reason to really be worried about this. In light of recent posts about Facebook being a
roach motel, I thought it was interesting discovering possible alternatives to OCR for extracting email addresses from Facebook. I'm a bit surprised that the
emailgen.php page doesn't at least check to ensure you are logged in, but with open logins now this would be more of a placebo anyway. If someone is good at guessing what your email address is, they can get confirmation if they are right or wrong, but since this same information (and more) should be available through the Friend Finder, its really nothing new.
