There's been a bit of miscommunication here, and I think it's partially my fault. It looks like there was a vulnerability in the rate limiter, and Facebook has admitted that and says they're trying to fix it (I don't know whether they have fixed it):
>In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings."
I'm not sure whether you're just concerned with this apparent rate limit bypass vuln or with the entire concept of lookup by email.
>Ask yourself why Facebook doesn't just make available a spreadsheet of all names associated with which emails on the platform. It's because it's private information.
That would be Facebook telling you the email of every account. The behavior we're discussing is not doing that. Facebook allows you to find a person's profile given a person's email (assuming the person didn't disable that lookup it in privacy settings, and also considering rate limits which might be bypassable by a vulnerability). Facebook doesn't allow you do to the reverse unless the person sets email visibility to public.
>Why doesn't Facebook's security team do anything? Either they're incompetent, or they're being muzzled by product.
What do you think they should do?
Just because someone disagrees with you doesn't make them incompetent.
>Additionally, Facebook's privacy policy explicitly says that they don't share your private information that you have chosen to set private. That's an egregious lie.
What private information is being shared? Your profile URL? Your first and last name?
Facebook has an option to disable this lookup. Are you saying people are disabling the lookup and Facebook is disobeying that?
>Who can look you up using the email address you provided?
>In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings."
https://arstechnica.com/gadgets/2021/04/tool-links-email-add...
I'm not sure whether you're just concerned with this apparent rate limit bypass vuln or with the entire concept of lookup by email.
>Ask yourself why Facebook doesn't just make available a spreadsheet of all names associated with which emails on the platform. It's because it's private information.
That would be Facebook telling you the email of every account. The behavior we're discussing is not doing that. Facebook allows you to find a person's profile given a person's email (assuming the person didn't disable that lookup it in privacy settings, and also considering rate limits which might be bypassable by a vulnerability). Facebook doesn't allow you do to the reverse unless the person sets email visibility to public.
>Why doesn't Facebook's security team do anything? Either they're incompetent, or they're being muzzled by product.
What do you think they should do?
Just because someone disagrees with you doesn't make them incompetent.
>Additionally, Facebook's privacy policy explicitly says that they don't share your private information that you have chosen to set private. That's an egregious lie.
What private information is being shared? Your profile URL? Your first and last name?
Facebook has an option to disable this lookup. Are you saying people are disabling the lookup and Facebook is disobeying that?
>Who can look you up using the email address you provided?
https://i.imgur.com/D8qQjq0.png