Aug 11, 2010 12:38 GMT  ·  By

A Facebook feature, which displays the profile matching an email address used in a failed login attempt can be leveraged by phishers to increase the credibility of their scams.

In a new example of Facebook features being designed with complete disregard for security, whenever a bad password is provided during authentication, the site will list the profile name associated with the email address used in the failed attempt.

But, whatever practical use this behavior might actually have is completely overshadowed by its security and privacy implications.

For example, spammers and more importantly, phishers, regularly harvest or buy lists of emails to target in their campaigns.

It is also known that phishing or spam messages which address the recipient by their real name are a lot more credible and therefore efficient.

Such targeted attacks used to be rare, but now, thanks to Facebook's generous information sharing tendencies, that might change.

"Further more,it also gives out the profile picture [...]. Facebook users have no control over this, as this works even when you have set all privacy settings properly," writes Atul Agarwal, a user who pointed out the issue on the Full Disclosure mailing list.

Agarwal also released a PHP script that automates the profile matching and name harvesting process. "Rest is only left up to one's imagination," he notes.

And indeed it is, as enhancing the credibility of phishing attacks is just one example of how this misguided feature can be abused for malicious purposes.

Last week a BitDefender security researcher demonstrated how Facebook profiles can be matched to stolen passwords already leaked on the Internet.

In order to do this, the expert used information from Facebook's public directory, but this new failed login method would make the process a lot easier and more accurate.

You can follow the editor on Twitter @lconstantin