A commenter on the Hacker News website has discovered by accident a pretty big security flaw that could allow anyone who knew what to search for to access over a million Facebook accounts – all without needing to know the password.
He unearthed the flaw after receiving a Facebook notification email forwarded to him by a friend. The notification contained a link that lead directly to the friend’s account, a fact he discovered after following it.
Toying with different search parameters taken directly from the link, he came to the amazing discovery that he could access other people’s accounts.
A member of the Facebook security team noticed the comment, and they immediately set out to fix the flaw.
“We only send these URLs to the email address of the account owner for their ease of use and never make them publicly available. Even then we put protection in place to reduce the likelihood that anyone else could click through to the account,” he explained.
“For a search engine to come across these links, the content of the emails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out – or people whose email addresses go to email lists with online archives).”
Although the links expire after a period of time (and most of these 1.2 million links already have), are disabled as soon they are clicked on once, work only for certain users and Facebook runs additional security checks to make sure it looks like the account owner who’s logging in, the feature can obviously be misused, so Facebook has turned it off until they can “better ensure its security for users whose email contents are publicly visible.”
In the meantime, they have also been securing the accounts of anyone who recently logged in through these links.