Facebook flaw allowed access to accounts without authentication
Posted on 02 November 2012.
A commenter on the Hacker News website has discovered by accident a pretty big security flaw that could allow anyone who knew what to search for to access over a million Facebook accounts - all without needing to know the password.

He unearthed the flaw after receiving a Facebook notification email forwarded to him by a friend. The notification contained a link that lead directly to the friend's account, a fact he discovered after following it.

Toying with different search parameters taken directly from the link, he came to the amazing discovery that he could access other people's accounts.

A member of the Facebook security team noticed the comment, and they immediately set out to fix the flaw.

"We only send these URLs to the email address of the account owner for their ease of use and never make them publicly available. Even then we put protection in place to reduce the likelihood that anyone else could click through to the account," he explained.

"For a search engine to come across these links, the content of the emails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out - or people whose email addresses go to email lists with online archives)."

Although the links expire after a period of time (and most of these 1.2 million links already have), are disabled as soon they are clicked on once, work only for certain users and Facebook runs additional security checks to make sure it looks like the account owner who's logging in, the feature can obviously be misused, so Facebook has turned it off until they can "better ensure its security for users whose email contents are publicly visible."

In the meantime, they have also been securing the accounts of anyone who recently logged in through these links.






Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //