14 DAY TRIAL // Last year, security researcher Jamal Eddine discovered a Foursquare bug that could have been exploited to obtain the primary email addresses of all Foursquare accounts. The privacy issue was addressed quickly by the social network, but the expert only published his findings a few days ago.
The flaw was found in the invitations sent out by users when they wanted to befriend someone. The URL in the friend request contains a parameter called “uid,” which is associated with the sender’s email address.
By changing the value of “uid,” the primary email address of all Foursquare users could have been obtained.
The request looks something like this:
https://foursquare.com/mehdi?action=acceptFriendship&expires=1378920415&src=wtbfe&uid=64761059&sig=mmlx96RwGrQ2fJAg4OWZhAWnDvc%3D
Each time the value of the “uid” was changed, a different email address was displayed in the request window.
Foursquare addressed the flaw within 24 hours after Eddine sent his report. The company doesn't have a bug bounty program, but it has included the expert's name in its hall of fame.
Additional details are available on Eddine’s blog.