Revealing creator emails to web scrapers

Summary

Whose smart idea was it to reveal creator email addresses to the entire public internet without any form login required to see the address? And even when logged in the email should not be given away without completing a captcha and even then it should not be in plain text to make it computationally taxing to scrape creator emails. This design decision just shows the blatant lack of any form of foresight on part of the developers who made the website. Ever since I registered with fab.com I get tons of spam, some of it very sophisticated (ingesting images of my models) asking me to go off-side and register with a 3rd party ‘service’ that will steal my 3D models. The point of these scams is to extract work from creators.
In my opinion, you should completely remove the email address from ‘https://www.fab.com/sellers//about’ and make it so that if someone wants to contact a creator they have to log in and use the messaging system within fab so the spam is visible to the website (it can be blocked).

What type of bug are you experiencing?

Other

URL where the bug was encountered

Steps to Reproduce

Open a private tab in any browser, go to any creator’s about page, say:

And you can see the full email address displayed. Not even a passing attempt is made to obfuscate this private information from web scrapers. How is it possible that since 2009 Google has a captcha service to obfuscate email but here, purely by design decision you just show the full details to the entire world?

Expected Result

Your email should not be displayed. If you do have to display a creator’s email, make it so an outsider has to create a fab.com account to see it at very least.

Observed Result

You guys have absolutely zero foresight, no understanding of cyber-secutiry, and of how scammers obtain your information for phishing purposes, therefore you allow the /about field to display an un-obfuscated email address of every creator. For comparison, on say YouTube it has to be manually enabled by the creator allowed, and even then it’s hidden behind a captcha.

Platform

Firefox the problem is not specific to a platform. It’s a design issue on part of engineers who made the website.

Operating System

Pop OS (Linux). The problem is not specific to an operating system. I’m just an engineer so I use Linux, but you can reproduce the issue on any platform.

Upload an image

Additional Notes

Make it optional to display your email address on the /about page and off by default. If it’s enabled, obscure the email so that it’s not easy to programmatically extract - present it as an image, replace the @ with a random symbol, add visual noise, create a javascript computational challenge in the user’s browser, ask for a captcha to be filled twice, rate-limit the request by making the user wait, maintain a ban list of IP addresses.
Furthermore there is the problem of creator pages https://www.fab.com/sellers/ not having any form of scraping protection like a computational challenge inside the browser, progressive lazy loading. I had people scrape all of the thumbnail images and then present me with their own websites with my portfolio on them.
You can easily stop the revenue stream of scammers who send phishing emails to creators to extract work from them and re-sell their models.

STOP MAKING IT EASY FOR SCAMMERS TO FIND YOUR EMAIL

As a trader on Fab, my understanding is that EU law requires my business contact details, including my email address, to be publicly accessible. For that reason, I use a separate public-facing email address with filtering and spam protection enabled. I would still welcome stronger anti-scraping measures, but I do not think Fab can simply hide trader contact details.

If you hide all contact information and personal data, how can you communicate with buyers?
The proliferation of online scammers has always been rampant.

But you also have to respect your buyers. I often get confirmation via email before purchasing. There’s just no convenient system within the Fab itself that could replace that.

The old marketplace used to have an “ask a question” option. Now, it’s only available through a forum post, and even then, few people even know about it, and many don’t even create one.