Facebook Fixes User Email Address Leakage
"Previously, when people typed in a legitimate e-mail address on Facebook's password reset page they got a message either saying that their password had been reset or that an e-mail with instructions on how to reset the password had been sent to their e-mail account, thus providing verification that the e-mail address is legitimate. When a fake e-mail address was typed in they got a message that said "Unregistered Email. The email address you entered has not been registered."
Now, every password typed in gets the same message: "Your password has been reset. An e-mail has been sent to all contact e-mails associated with your account, including (the one typed in)."" - CNET
This is one of those flaws you rarely hear about that have a real impact. The primary reason for gathering this is to perform targeted phishing.
Read more: http://news.cnet.com/8301-1009_3-10205476-83.html?tag=mncol
Rarely hear about, but often see.
Posted by: AnonymousPenTester | Mar 31, 2009 3:56:05 PM
This can also work against a legit user who has forgotton both his password and the email linked to it.
He wouldn't know which email he registered.
happens with me all the time :(
Posted by: Anonymous | Apr 1, 2009 10:54:49 AM
Narkolayev is real white hacker, he knows what he is doing.
Posted by: Anonymous | Apr 1, 2009 11:02:23 AM