Facebook flaw allowed access to accounts without authentication
Posted on 02 November 2012.
A commenter on the Hacker News website has discovered by accident a pretty big security flaw that could allow anyone who knew what to search for to access over a million Facebook accounts - all without needing to know the password.

He unearthed the flaw after receiving a Facebook notification email forwarded to him by a friend. The notification contained a link that lead directly to the friend's account, a fact he discovered after following it.

Toying with different search parameters taken directly from the link, he came to the amazing discovery that he could access other people's accounts.

A member of the Facebook security team noticed the comment, and they immediately set out to fix the flaw.

"We only send these URLs to the email address of the account owner for their ease of use and never make them publicly available. Even then we put protection in place to reduce the likelihood that anyone else could click through to the account," he explained.

"For a search engine to come across these links, the content of the emails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out - or people whose email addresses go to email lists with online archives)."

Although the links expire after a period of time (and most of these 1.2 million links already have), are disabled as soon they are clicked on once, work only for certain users and Facebook runs additional security checks to make sure it looks like the account owner who's logging in, the feature can obviously be misused, so Facebook has turned it off until they can "better ensure its security for users whose email contents are publicly visible."

In the meantime, they have also been securing the accounts of anyone who recently logged in through these links.






Spotlight

Intentional backdoors in iOS devices uncovered

Posted on 22 July 2014.  |  A researcher has revealed that Apple has equipped its mobile iOS with several undocumented features that can be used by attackers and law enforcement to access the sensitive data contained on the devices running it.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Jul 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //