The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

Disclosing the Primary Email address for each Facebook user


This post is going to be discussing how I was able to get the primary/hidden email address for any Facebook user. This also happens to be my first accepted bug to the Facebook Bug Bounty Program.


Back in September I got an email notification from Facebook stating I had been added as an Admin of a Facebook Page. I hadn't tested this functionality for bugs before and so, decided to mess around with it. I was able to quickly find an endpoint that disclosed the Admin's email addresses, and reported it to Facebook, only to be told that it was desired action due to the type of page it was.


Then on November 25th, a video was shared in a Slack group I'm a member of, describing a vulnerability which disclosed email address of Facebook users (it can be found here.) After watching the video and recognizing part of the HTTP request shown in it, I decided to go back and see if I could disclose user emails in a similar fashion.

I created a new test group and went to the settings -> Page Roles which can be found at This presented me with the following screen:

I then entered the name of my test account and added it as an Editor:

Now as a note, when you add someone to a role on your group, if they are on your Friends list, then they will b* automatically added to the role you assign and Facebook will send them a notification. This is important because when you attempt to assign a person you are not friends with a role to a group, then a request is sent to that person for them to accept or decline the invitation. While Facebook waits for the confirmation, the user is shown under the Page Roles tab, with a button to cancel the request.

After poking around for a bit on the domain with no success, I decided to switch to the mobile view and see if anything changed. So I navigated to the page: and instantly noticed something different.

This mobile page looks much more interesting! I quickly noticed that when you clicked the remove link on the mobile page, you were redirected to a page with the following URL:

Notice the param removependinginvite_email. When attempting to cancel the request from the mobile page, it would disclose the email address of the person I invited but was not friends with.


The impact of this vulberability could be diverse. Harvesting email addresses this way contradicts Facebook's privacy policy and could lead targeted phishing attempts or other malicious purposes. Also as a note, this could only target users that were not already friends on Facebook and after adding the person then removing the request, the notification will disappear. This means an attacker could exploit this without the knowledge of the victim, unless they happen to get the notification and see it before the request was canceled.

Report Timeline:

Twitter: Thanks to @yaworsk for help with editing of this post.

Continue reading on