Summary
Whose smart idea was it to reveal creator email addresses to the entire public internet without any form login required to see the address? And even when logged in the email should not be given away without completing a captcha and even then it should not be in plain text to make it computationally taxing to scrape creator emails. This design decision just shows the blatant lack of any form of foresight on part of the developers who made the website. Ever since I registered with fab.com I get tons of spam, some of it very sophisticated (ingesting images of my models) asking me to go off-side and register with a 3rd party ‘service’ that will steal my 3D models. The point of these scams is to extract work from creators.
In my opinion, you should completely remove the email address from ‘https://www.fab.com/sellers//about’ and make it so that if someone wants to contact a creator they have to log in and use the messaging system within fab so the spam is visible to the website (it can be blocked).
What type of bug are you experiencing?
Other
URL where the bug was encountered
Steps to Reproduce
Open a private tab in any browser, go to any creator’s about page, say:
And you can see the full email address displayed. Not even a passing attempt is made to obfuscate this private information from web scrapers. How is it possible that since 2009 Google has a captcha service to obfuscate email but here, purely by design decision you just show the full details to the entire world?
Expected Result
Your email should not be displayed. If you do have to display a creator’s email, make it so an outsider has to create a fab.com account to see it at very least.
Observed Result
You guys have absolutely zero foresight, no understanding of cyber-secutiry, and of how scammers obtain your information for phishing purposes, therefore you allow the /about field to display an un-obfuscated email address of every creator. For comparison, on say YouTube it has to be manually enabled by the creator allowed, and even then it’s hidden behind a captcha.
Platform
Firefox the problem is not specific to a platform. It’s a design issue on part of engineers who made the website.
Operating System
Pop OS (Linux). The problem is not specific to an operating system. I’m just an engineer so I use Linux, but you can reproduce the issue on any platform.
Upload an image
Additional Notes
Make it optional to display your email address on the /about page and off by default. If it’s enabled, obscure the email so that it’s not easy to programmatically extract - present it as an image, replace the @ with a random symbol, add visual noise, create a javascript computational challenge in the user’s browser, ask for a captcha to be filled twice, rate-limit the request by making the user wait, maintain a ban list of IP addresses.
Furthermore there is the problem of creator pages https://www.fab.com/sellers/ not having any form of scraping protection like a computational challenge inside the browser, progressive lazy loading. I had people scrape all of the thumbnail images and then present me with their own websites with my portfolio on them.
You can easily stop the revenue stream of scammers who send phishing emails to creators to extract work from them and re-sell their models.
STOP MAKING IT EASY FOR SCAMMERS TO FIND YOUR EMAIL



