I am intrigued about situations in which you would have someone's Snapchat username, but so little of an idea of their name/network that you couldn't find them on Facebook with graph search.
A few months ago, I was trying to figure out what this Snapchat was all about, so I signed up with a fairly common username.
Sure enough, in a few days, I received several topless pictures from a random account. The girl typed in a name which she thought belonged to her friend, but instead entered my new profile name.
I thought this was hilarious, my girlfriend however, didn't. Just one random situation.
The contacts app on the iPhone does something like that last jump, where having a phone number + first name is enough for it to sometimes find the full FB profile and update the pic associated with the contact on the phone. I assume/hope it only works when they have their phone number public on their profile, though.
Well, no. I have some fb profile (with photo) in my phone contacts of people that it's not in my friend list, but (probably) it's in my "friends of friends" list. So probably the latter is enough.
It depends on the privacy settings of the user. I just tried this on myself and it did not show my name or photo. The most conspicuous thing it showed was a starred-out version of my old university email address, but that's my own fault for leaving it there.
That explanation does not inspire confidence -- I was able to retrieve the profile picture, name, networks, and barely-obfuscated email addresses of several contacts for whom it is impossible they have logged in from my network (on a VPN to the office) or my computer.
EU privacy laws explicitly forbids exposing photos (linked to personally identifiable information) without explicit consent, especially for people of minor age (the specific country laws may change a little, but the general sense is clear).
This is an account recovery endpoint used if your account was hacked for example.
Your name, profile picture and a few other things are considered public information so there is no security issue displaying them. See: https://www.facebook.com/help/167709519956542
Yes, but the email address or phone number, is not. I would argue therefore, the information that the email or phone connects to the public information, is not.
No, personally identifiable information isn't public information. What's exposed here is still personal information that you decided to make public, but presumably with the users consent.
On Facebook, there are granular privacy settings to control who can search for you by email/phone number if you choose to use them. They're accessed by going to facebook.com/settings (dropdown arrow @ top right), then "Privacy", then "Who can look me up?" ...the analogy would be opting to have an unlisted phone number in the white pages back when they were printed on paper and arrived on your front doorstep.
Replying as discussion originally seemed to be about first/last/profile picture privacy.
The scenario is: you are not able to get into your rightful facebook account but you know some information (phone, email) that is associated with it. If you are coming from a semi-trusted computer/ip/browser/etc that has a history of being associated with your account Facebook displays some public information about that account to ensure one doesn't try to recover the wrong account. The posts here about people getting differing results when hitting this endpoint with other peoples information are a result of these factors.
Important note: If a user you are initiating a recovery for has their "who can look me up" privacy setting set to "everyone" then we will always display such information for that user. That setting discussed a bit more here: https://www.facebook.com/help/www/131297846947406
Hope that clears things up, this is one of the most common false positives we get via our bug bounty program and I certainly see how it can be alarming at first.
It appears this only works if you're using an account that you've already logged into from that IP address.
If you try someone else's phone number, it has a placeholder profile picture, says "Facebook User", and has censored out email addresses to send a recovery email too.
I'm guessing everyone here is using their own phone number to test with which yields a lot more information than if you were to try it with a phone number of a friend whose never logged into Facebook from your network.
This is not accurate. I was able to see the picture, name, and a partially censored email address for several contacts. I have no facebook account and I am certain none of those contacts have ever accessed the internet from this IP.
I had reported this to FB security last year when I found it was trivial to find partially masked email ids & phone numbers of anyone behind my Uni's gateway.
I was informed that this was a design decision since previously used IPs are more trustworthy than any new IP. I considered this a design flaw and reported since large institutions are typically behind a NAT and they become susceptible to targeted attacks.
39 comments
[ 2.3 ms ] story [ 94.4 ms ] threadSnapchat Username --> Snapchat Phone Number --> Facebook Account
I hope people are behaving.
Sure enough, in a few days, I received several topless pictures from a random account. The girl typed in a name which she thought belonged to her friend, but instead entered my new profile name.
I thought this was hilarious, my girlfriend however, didn't. Just one random situation.
It doesn't do a common FB database wide search just from your contacts/FB friends.
An example of a poor trade for experience vs security.
> You can see your name and profile picture because you're using a computer network you've logged in on before.
At least, that's what I saw when I did it on myself in an incognito tab.
What law do you think this violates?
This is an account recovery endpoint used if your account was hacked for example.
Your name, profile picture and a few other things are considered public information so there is no security issue displaying them. See: https://www.facebook.com/help/167709519956542
It can be, for a plurality of reasons. Phone books, court records, etc.
The scenario is: you are not able to get into your rightful facebook account but you know some information (phone, email) that is associated with it. If you are coming from a semi-trusted computer/ip/browser/etc that has a history of being associated with your account Facebook displays some public information about that account to ensure one doesn't try to recover the wrong account. The posts here about people getting differing results when hitting this endpoint with other peoples information are a result of these factors.
Important note: If a user you are initiating a recovery for has their "who can look me up" privacy setting set to "everyone" then we will always display such information for that user. That setting discussed a bit more here: https://www.facebook.com/help/www/131297846947406
Hope that clears things up, this is one of the most common false positives we get via our bug bounty program and I certainly see how it can be alarming at first.
if you're going to do something that might raise the ire of someone sophisticated, don't do it online with your true and/or trusted persona.
now if you're complaining the waterline for "sophisticated" is getting lower...well...welcome to technology :)
If you try someone else's phone number, it has a placeholder profile picture, says "Facebook User", and has censored out email addresses to send a recovery email too.
I'm guessing everyone here is using their own phone number to test with which yields a lot more information than if you were to try it with a phone number of a friend whose never logged into Facebook from your network.
https://www.facebook.com/help/delete_account
I was informed that this was a design decision since previously used IPs are more trustworthy than any new IP. I considered this a design flaw and reported since large institutions are typically behind a NAT and they become susceptible to targeted attacks.