Did you reported this? Apparently reset.php has been fixed. http://img440.imageshack.us/img440/3637/screenshotjm.png
On Thu, Aug 12, 2010 at 5:06 AM, Rishabh Singla <[email protected]> wrote: > > Hi everyone, > > This is with reference to the post by Mr. Atul Agarwal dated 11-Aug-10, and > posted here (http://seclists.org/fulldisclosure/2010/Aug/130), in which > Mr. Atul describes how a spammer might enter email addresses and extract the > names (and photos) from Facebook accounts registered against those email IDs. > Mr. Atul also mentions that this technique can be used to validate email > addresses in one's possession. > > Would like to point out that another way to harness this information is > through Facebook's "Forgot your password?" page (located at > http://www.facebook.com/reset.php). By entering an email address on this > webpage, a user's name, a photo and possibly a snippet of text is displayed > (assuming a Facebook user exists against this email ID). > > I came across this on 6-Jun-10, and posted the same on my blog on 7-Jun-10. > You might want to read the details on my blog > (http://blog.rishabhsingla.com/2010/06/facebooks-reset-password-page-has.html). > > Rishabh Singla > http://blog.rishabhsingla.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
