Foursquare Flaw Could Have Been Exploited to Obtain Users’ Email Addresses


Flaw in Foursquare's friend invite feature exposed email addresses

Last year, security researcher Jamal Eddine discovered a Foursquare bug that could have been exploited to obtain the primary email addresses of all Foursquare accounts. The privacy issue was addressed quickly by the social network, but the expert only published his findings a few days ago.

The flaw was found in the invitations sent out by users when they wanted to befriend someone. The URL in the friend request contains a parameter called “uid,” which is associated with the sender’s email address.

By changing the value of “uid,” the primary email address of all Foursquare users could have been obtained.

The request looks something like this:

https://foursquare.com/mehdi?action=acceptFriendship&expires=1378920415&src=wtbfe&uid=64761059&sig=mmlx96RwGrQ2fJAg4OWZhAWnDvc%3D

Each time the value of the “uid” was changed, a different email address was displayed in the request window.

Foursquare addressed the flaw within 24 hours after Eddine sent his report. The company doesn’t have a bug bounty program, but it has included the expert’s name in its hall of fame.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s