Facebook flaw allowed access to accounts without authentication
Posted on 02 November 2012.
A commenter on the Hacker News website has discovered by accident a pretty big security flaw that could allow anyone who knew what to search for to access over a million Facebook accounts - all without needing to know the password.

He unearthed the flaw after receiving a Facebook notification email forwarded to him by a friend. The notification contained a link that lead directly to the friend's account, a fact he discovered after following it.

Toying with different search parameters taken directly from the link, he came to the amazing discovery that he could access other people's accounts.

A member of the Facebook security team noticed the comment, and they immediately set out to fix the flaw.

"We only send these URLs to the email address of the account owner for their ease of use and never make them publicly available. Even then we put protection in place to reduce the likelihood that anyone else could click through to the account," he explained.

"For a search engine to come across these links, the content of the emails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out - or people whose email addresses go to email lists with online archives)."

Although the links expire after a period of time (and most of these 1.2 million links already have), are disabled as soon they are clicked on once, work only for certain users and Facebook runs additional security checks to make sure it looks like the account owner who's logging in, the feature can obviously be misused, so Facebook has turned it off until they can "better ensure its security for users whose email contents are publicly visible."

In the meantime, they have also been securing the accounts of anyone who recently logged in through these links.


Biggest ever cyber security exercise in Europe is underway

Posted on 30 October 2014.  |  More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA).

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Oct 31st