[Facebook] Determine Email Address and Phone Number of Users

 By following the POC below, it was possible for a hacker to determine if a given Email Address or a Phone Number is connected to the given Facebook User or not, even when they are hidden by the User.


1. Go to www.facebook.com and Click on "Forgot password".

2. Enter Target's Phone Number and click on "Search".

3. Select "Send code via SMS" and click on "Keep going".

4. Click on "Can't get code?".

5. Repeat step 3 and 4 at least six times.

6. Then click on "Aren't you".

7. Enter the Target's Facebook USERNAME and click on "Search".

8. Select "Send code via SMS" and click on "Keep going".

9. Click on "Cancel".

10. Click on "Forgot password".

11. Repeat step 8,9,10 again.

This should trigger an error saying "Identify this account in another way".

To double confirm,

12. Click on "Please try again".

13. Enter the Target's USERNAME and Search.

This should give us an error saying "Identify this account in another way

Identify your account using email or phone number."

If we enter a USERNAME which is not connected to the Target's Phone Number, we will be redirected.

14. Enter your USERNAME (or any VALID USERNAME) and search.

This should redirect you and indicate that the Phone Number, does not belong to your USERNAME.

Timeline -

Reported - Sunday, September 19, 2021 

Triaged - Friday, October 22, 2021

Fixed - Wednesday, November 3, 2021

Rewarded - Thursday, November 4, 2021

Popular posts from this blog

[Google] Access to BGP server + DOM XSS

[Google] YouTube "restconf" Swagger-UI XSS

[Google] Disclose hidden Blogger profile Display name and Profile photo