Now, before 40 million people pickup their pitchforks and try to lynch the Facebook developers, realize that this isn't as bad as it might sound at first. The emailgen.php page requires two parameter (id and key) to actually generate the image. The id parameter is pretty clearly the user's Facebook ID and is pretty trivial to lookup but the key parameter is a bit more cryptic (and turns out to be fairly secure).
Finding the Key
I was a bit curious as to what that key value represented. Here's the value from my email link above:
47fe78750d8d158caca8419203fd54bfIt appears to be a 32-character hexadecimal (128-bit) number. Now, it was certainly possible this was simply a randomly generated GUID that maps back to the real address in their database. If this were the case, though, there would really be no reason to include the id parameter as part of the call. However, MD5 checksums also happen to be 128-bits long and hashed values are often used for this sort of thing. Perhaps the key is simply a hash of some combination of the user's Facebook ID and the email address that will be displayed?
As it turns out, this is exactly what is being done. After trying just a couple combinations, I came up with the following result:
$ echo -n cfbradford@gmail.com668876587 | md5sum
47fe78750d8d158caca8419203fd54bf -Eureka! I just generated the magic key needed to display my own email address! All I need is a user's Facebook ID and their email address and I can generate the proper key (and then URL) to display the email address image. And I can do all this without being your friend on Facebook or even being logged in at all!
But Wait...
Right about now the clever readers are scratching their heads trying to figure out why this even matters. What I've basically said so far is that "if I know your email address, I can find out your email address". Doesn't seem very exciting, does it?
The even more clever readers, though, are realizing that Facebook is actually giving me confirmation that I guessed the correct email address. More specifically, I can now essentially ask Facebook "Does user X have email Y registered with you?" and Facebook will essentially respond either "Yes" or "No" rather than just ignoring the question completely.
The less-cryptographically inclined may be wondering if I can reverse the process to get an email address and Facebook ID from the MD5 hash. In general, though, it is impossible to reverse such a hash since information is generally lost in the process.
How is this Useful?
Obviously this is only a big deal if it allows people to do something really cool or really scary with this information. Since the same basic functionality should be available in the Friend Finder, though, this probably can't be used to take over the world.
If you have a Facebook account, you should be able to upload an address book with a single email address in it to find if a Facebook user has that email address (and discover their Facebook ID in the process). You don't need to be friends, so pretty much anyone could do this (though I haven't actually tested the process).
To do the same thing with this "trick" would require having a list of all ~40 million (and growing) Facebook IDs, computing hashes based on each possible ID, and then requesting an email image from the Facebook site for each combination. Just computing that many hashes on my computer would take more than a day, and that's just for one email address. Verdict: Friend Finder is more useful.
In order to "discover" one of these IDs in the first place, you basically have to have access to a Facebook user's page, which means you also know their Facebook ID and could read the image with OCR software to figure out the email address in an automated way. So, this doesn't really provide any information that a person didn't already have access to.
What it could do, though, is provide alternatives to OCR in certain situations. If you have a small-ish list of possible email addresses you can just calculate the MD5 hash with each candidate until you find a match. As the number of possibilities grows, this becomes slower until OCR would be a better approach. (Depending on the speed and accuracy of the OCR software, this could be 100 or 1,000 possible emails). Even if OCR is used, the hash is still useful as a means to verify the results (if the detected address doesn't properly hash back to the key, then its not the correct address).
Conclusion
Despite the overly dramatic title of this post, I don't see any reason to really be worried about this. In light of recent posts about Facebook being a roach motel, I thought it was interesting discovering possible alternatives to OCR for extracting email addresses from Facebook. I'm a bit surprised that the emailgen.php page doesn't at least check to ensure you are logged in, but with open logins now this would be more of a placebo anyway. If someone is good at guessing what your email address is, they can get confirmation if they are right or wrong, but since this same information (and more) should be available through the Friend Finder, its really nothing new.
3 comments:
I can only guess that the reason facebook shows email-addresses as a picture is because a few trojan spam-horses search through a users webcache and monitors all pages he visits to snap up email-addresses.
It's quite clever by the spammers actually. Why write a spider and expose their ip-address when they can have thousands of zombies browse the web for them and gather addresses.
Kudos to facebook for thinking ahead :-)
I hadn't heard of that sort of malware before. Pretty clever on the part of the spammers I guess.
I'm not sure I buy it as the reason why Facebook uses images for email addresses, though. Phone numbers are displayed as plain text and, if they are mobile numbers, can be used just like a regular email address to send SMS spam. That would arguably be even worse for people since it may end up costing them money to receive the messages (based on their phone plan).
Personally, I suspect they are using images for emails to try and prevent competing services from being able to easily harvest the address (since email addresses serve as such good unique identifiers for people). I suppose only the Facebook developers really know for sure, though.
Hey,
This site, jetbots.com has the software to decrypt emails with 93%+ accuracy... Lots of cool other features there as well.. Check for JET profile scrapper on the website..
Just thought to share it with you..
Jennifer
Post a Comment