A bug in Facebook's login system "allows attackers to match unknown email addresses with users' first and last names, even when they've configured their accounts to make that information private. If the address belongs to any one of the 500 million active users on Facebook, the social-networking site will return the full name and picture associated with the account," revealed The Register…."Facebook users have no control over this, as this works even when you've set all privacy settings properly."
Exploiting the vulnerability is as easy as entering the email address into the Facebook sign-on page, typing a random password and hitting enter.
Important: It looks it's related some privacy setting, as I've tried many combinations before posting, on some I received normal login failure screen with "no profile" details, but on some accounts, I got as The Register reported. Here're the pics of my test:
No profile displayed for this account:
Profiles displayed here: