Saturday, July 20, 2013

How I Exposed your Primary Facebook Email Address (Bug worth $4500)

Hi, For this post, I’ll be talking about how I disclose the Private Primary Email Address of any Facebook Account. With no user interaction. Enjoy.

This bug was reported to Facebook Security Team, fixed immediately

Last month, I found a vulnerability in Facebook Developer Application Roles Page which allowed me to disclose the primary Facebook email address even if the victim set the email address privacy to "Only Me"

Steps to Reproduce

1. Grab profile links of all facebook users from Facebook People Directory i.e
2. Collect Numerical Facebook ID for each Profile from facebook Graph API i.e where extracted user ID is 100006240120652
3. Block victim Facebook Account
4. Create Facebook Application -> Go to Settings -> Developer Roles 
5. Final payload for this vulnerability looks like this:[1][0]=VICTIM_UID

Nevertheless, you can obtain multiple email address by adding more parameters

and so forth...

Dumping Like a Boss ;)

Just reported this issue and one hour later Facebook Security Team response my initial report

LoL! ;)

At exactly 8:26AM the vulnerability was finally fixed

Final fix: 5 hours after initial report

Facebook was pretty fast to address this issue and resolved this within hours. Facebook Security team awarded this bug with $4500.

Facebook WhiteHat Card, baby!

I appreciate the opportunity to preserve my skills and gain some more experience. Thank you Facebook security team.

"Roy Castillo" - Facebook White Hat Page 2012 & 2013


ProtipFocus on your target, think creative, use your imagination, don't spend your time on attacks like reflected XSS etc. try to find something special ;)

Disclosure Timeline

June 25th, 2013 at 1:22AM (GMT +08:00): Vulnerability Discovered
June 28th, 2013 at 2:43AM (GMT +08:00): Initial Report
June 28th, 2013 at 2:44AM (GMT +08:00): Autorespose from Security bot
June 28th, 2013 at 3:41AM (GMT +08:00): First response from Security Team
June 28th, 2013 at 8:26AM (GMT +08:00): Vulnerability Fixed
July 6th, 2013 at 1:40AM (GMT +08:00): Confirmation of Rory that the vulnerability has been fixed
July 19th, 2013 at 1:08AM (GMT +08:00): Bounty awarded
July 21st, 2013 at 12:00NN (GMT +08:00): Full Disclosure Published

Save The Planet!


  1. But this is possible to obtain from yahoo import user list , too , nah?

    BTW , nice finding ;)

  2. Congrate! .. like A Boss !! ;hehhe

  3. Hey dt live feed thing is good.. i put on my blog also.. And awesome nice bug u got on fb..

  4. Nice post man, I disagree with the Pro Tip, but well done.

  5. hmm... fixed bug, it's not good hahaha

  6. Amazing work pals, I really enjoy reading your interesting blogs. piratage facebook

  7. Thumbs up guys you are really carrying out a great job.
    hacker un compte facebook

  8. Waooow!!! Really very cool site of blogs. You can imagine what you have done for to increase facebook likes

  9. Aucun de ses piratage Facebook fonctionne aujourd hui plus rien de marche sauf ce site qui est encore en ligne ▄︻̷̿┻̿═━一

    piratage de facebook

  10. We interviewed an experienced Bug Bounty Hunter - thought you'd be interested to read their comments:

  11. This comment has been removed by the author.

  12. This comment has been removed by the author.

  13. I read about your post and I can say it is awesome.. :)
    I really appreciated if you can visit my site.. Thank you!


  14. jaring pengaman
    jaring futsal
    jaring gawang
    jaring golf
    Jaring Pengaman Safety Net Untuk Gawang Futsal Dan Golf

  15. Ever wanted to get free Facebook Followers?
    Did you know you can get them AUTOMATICALLY & ABSOLUTELY FOR FREE by registering on Like 4 Like?

  16. Articles that are very interesting and I really like your thoughts in article writing is very extraordinary.
    raja poker

  17. The article is very interesting and I really like the article like this thanks
    judi poker

  18. If you have experience of using Facebook, then you will want to know all about this. I have just come across a company that is actively hiring experienced Facebook users. You can get paid great money doing this, too.

    Check out all the details here…it’s well worth a look:

  19. I just had to send you a quick message about this cool new company I have just come across. They have this awesome Viral Multiplier Technology that helps social media users like you make great money online.

    To find out what it’s all about, just click below:

  20. Hey, Wow all the posts are very informative for the people who visit this site. Good work! We also have a Website. Please feel free to visit our site. Thank you for sharing. Well written article Thank You for Sharing with Us pmp training institute in chennai | pmp training in chennai project management training certification | project management training in chennai | project management certification online |

  21. I just had to send you a quick message about this cool new company I have just come
    across. They have this awesome Viral Multiplier Technology that helps social media users
    like you make great money online.
    To find out what it’s all about, just click below: ?hyden4158

  22. Hey, very nice site. I came across this on Google, and I am stoked that I did. I will definitely be coming back here more often. Wish I could add to the conversation and bring a bit more to the table, but am just taking in as much info as I can at the moment. Thanks for sharing.

    Airplane Tug for Sale

  23. The post is very nice. I just shared on my Facebook Account.

    Checkout my site to Buy Instant Facebook Post Likes

  24. Thank you for awesome writeup. It if truth be told used to be an amusement account it. Glance complex to more brought agreeable from you! Also Check: YoWhatsApp Apk & WhatsApp Groups.

  25. Best Quality pet table designed for professional groomers, including electric & hydraulic large dog grooming table . we offer high quality grooming supplies at lower prices! Both retail and wholesale are welcomed!

  26. Great information...
    Thanks for posting this..
    Keep Posting...

    Latest Fmovies Proxy

  27. Thanks for share!
    I am new this website and i want to say that this is awesome post very useful for me
    You can visit for Buy Facebook Post Likes with 10% extra likes on your facebook Post or page.100% full customer satisfaction.

  28. Amazing Article sir, Thank you for giving the valuable Information really awesome.

    Thank you, sir



  29. amazing article please check my group