Computerworld reports that a new Facebook bug could be used by spammers to harvest user names and photographs.
Apparently, entering the e-mail address of a Facebook user with the wrong password returns a special “Please re-enter your password” page. This page shows the Facebook photo and full name of the person associated with the address. The feature is supposed to help people figure out if they’ve mistyped their e-mail address at login. However, it could be abused by spammers to gather information on Facebook users.
Researcher Atul Agarwal says the feature could be used by someone to generate random e-mail addresses, who could then check to see if they really worked.
Facebook places the blame on a recently introduced bug:
We have technical systems in place to prevent people’s names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended … We are already working on a fix and expect to remedy the situation shortly.