Failed Facebook Login Attempts Reveal Private Information

Martin Brinkmann
Aug 12, 2010
Updated • Jan 17, 2015

Facebook does not seem to come to rest these days when it comes to privacy. A new bug was discovered on Wednesday by researcher Atul Agarwal, which allowed anyone to match an email address to a Facebook user's name and profile picture.

Facebook has designed the login process to provide additional information to the user if the email and password combination used to log in do not match.

Instead of just displaying a warning that the log in information were not correct, Facebook went one step further and displayed "Login As" information on the page. This included the user's profile photo and full name regardless of that user's privacy settings on Facebook.

Atul described the problem in detail on Seclists:

Sometime back, I noticed a strange problem with Facebook, I had accidentally entered wrong password in Facebook, and it showed my first and last name with profile picture, along with the password incorrect message. I thought that the fact that it was showing the name had something to do with cookies stored, so I tried other email id's, and it was the same. I wondered over the possibilities, and wrote a POC tool to test it.

This script extracts the First and Last Name (provided by the users when they sign up for Facebook). Facebook is kind enough to return the name even if the supplied email/password combination is wrong. Further more,it also
gives out the profile picture (this script does not harvest it, but its easy to add that too). Facebook users have no control over this, as this works even when you have set all privacy settings properly. Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.

facebook login privacy
facebook login privacy

The issue has been fixed in record time by Facebook. It does however mean that
the privacy issue was exploitable by everyone, including users without a Facebook account, until the fix had been applied.

In plain English, anyone who discovered the issue was able to link email addresses to real names and profile photos on Facebook, even without an account.

Dedicated attackers may have used automation to extract the information in bulk from Facebook.

The proof of concept code that Atul wrote showed that malicious users could have exploited the issue to create a huge database of linked email addresses and full names, which could be disastrous if used in phishing campaigns or other malicious uses.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. ninamason said on January 14, 2011 at 10:39 pm

    just wondering why facebook is having a lot of trouble today its doing alot people heads in and mine its just so slow.and its even on my phone.i do love facebook keep in contract with people and family who live miles please lets us know what what,thankyou,

  2. SYAUQI HANAFI said on October 6, 2010 at 6:58 am

    my facebook hacked by some body..please let me know who and how to fix it?

  3. Pretty said on September 16, 2010 at 5:08 pm

    Hey facebook why have i failed to login help me out i really need to sign up for facebook. Direct me on how it iz done.

  4. Wisdom said on August 22, 2010 at 7:18 pm

    You are very good

  5. Wired said on August 15, 2010 at 3:18 pm

    This problem is not fixed!! I tried making wrong password attempts with my accounts and after a captcha secruity check i was taken to the same page, revealing my profile pic, name and email address…

  6. Tari said on August 13, 2010 at 4:24 pm

    This is WAY over my head except for the fact that I have been trying for 4 days to get my password reset with no results. I have gotten a few emails from facebook & have been told those might not be real. I am at my wits end here. I am not a big social networker but I do want either access to my account to use or close. Is facebook just that behind or have I been hacked, Thanks for any help.

    1. Martin said on August 13, 2010 at 4:52 pm

      Tari, it never takes that long to reset a password. You need to take a closer look at the links in the password reset emails, if the point to then all is well. You can usually check those by hovering with the mouse cursor over them and looking in the status bar of the web browser or email program.

  7. HNicolai said on August 12, 2010 at 8:54 pm

    How is this different from searching for emails on facebook? When searching for a email, you also get a picture and the persons full name.
    But using the exploit/bug you could “match” a email with a picture and a name, right? Why not just search for the same mail on facebook and get the same result? Or am I misunderstanding something?

    1. Martin said on August 12, 2010 at 9:05 pm

      HNicolai, the difference is the account. The login method did work without a Facebook account, which means attackers could exploit the issue with a lot of time and a simple script. I have not tried the search in Facebook, but it probably limits the requests per x minutes or something like that. It would also mean that automation would be more complex, if not completely impossible.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.