“The hack allowed me to harvest as many email addresses as I wanted from anybody on Facebook, it didn’t matter how private you thought your email address was – I could of grabbed it” the bug bounty hunter, Tommy DeVoss said. On ‘Thanksgiving Day’ the bug bounty hunter, Tommy DeVoss discovered this critical flaw, and then quickly he reported the security flaw to the social media giant Facebook via its bug bounty program. However, the social media giant Facebook told that it would award him $5,000 definitely for the discovery but after verifying what the exact bug was and how it was exploited and on Tuesday the social media giant Facebook actually did it. The critical security vulnerability was related to the user-generated ‘Facebook Groups feature’ which allows any member to simply form an alliance group on the social media giant Facebook’s platform. The bug bounty hunter, Tommy DeVoss discovered the bug as an administrator of a Facebook Group to which he could invite or send request any Facebook member to have Admin or moderator Roles through the Facebook’s system to do things such as edit post or add new members. So, those invitations were simply managed by the social media giant Facebook itself and then those were not only sent to the invited recipient’s Facebook Messages inbox, as they were also sent to the Facebook user’s email address linked to their respective account as well. However, we have seen in many cases that users simply choose to keep their primary or personal email addresses hidden. While, the bug bounty hunter, Tommy DeVoss discovered, notwithstanding the privacy settings set by the social media giant Facebook members, he managed to gain access to any Facebook user’s email address even he was the Friends with them or not that also does not matter.
The bug bounty hunter, Tommy DeVoss said that “While Facebook waits for the confirmation, the user is forwarded to a Page Roles tab that includes a button to cancel the request”. Further, the bug bounty hunter, Tommy DeVoss moved over to the social media giant Facebook’s mobile web view of the Page Roles tab, where DeVoss was managed to view the complete email addresses of anyone that he wanted to cancel from becoming a Facebook Group Administrator. Moreover, the social media giant Facebook said that “it has no proof that the vulnerability was ever exploited” as they implemented a fix simply to stop the severe bug from being exploited or abused.