Facebook flaw bypasses password protections

Updated on: 2012-11-04 || Source: bbc.com

Facebook has moved quickly to shut down a loophole which made some accounts accessible without a password.

The bug was exposed in a message posted to the Hacker News website.

The message contained a search string that, when used on Google, returned a list of links to 1.32 million Facebook accounts.

In some cases clicking on a link logged in to that account without the need for a password. All the links exposed the email addresses of Facebook users.

Throwaway account

The message posted to Hacker News used a search syntax that exposed a system used by Facebook that lets users quickly log back in to their account.

Email alerts about status updates and notifications often contain a link that lets a user of the social network respond quickly by clicking it to log in in to their account.

In a comment added to the Hacker News message, Facebook security engineer Matt Jones said the links were typically only sent to the email addresses of account holders. Links sent in this way can only be clicked once.

"For a search engine to come across these links, the content of the emails would need to have been posted online," he wrote. Mr Jones suspected this is what happened as many of the email addresses exposed were for throwaway mail sites or for services that did a bad job of protecting archived messages.

Most of the million or so links exposed would already have expired, said Mr Jones.

"Regardless, due to some of these links being disclosed, we've turned the feature off until we can better ensure its security for users whose email contents are publicly visible," he said.

Mr Jones added that Facebook had taken steps to secure the accounts of people who had been exposed by the flaw. Many of the exposed accounts were in Russia and China.

In an official statement, Facebook said the links were sent "directly to private email addresses to help people easily access their accounts, and we never made them publicly available or crawlable."

However, it said, the links were then posted elsewhere online which lead to them being indexed on search engines.

It said: "While we have always had protections on these private links to provide an additional layer of security, we have since disabled their functionality completely and are remediating the accounts of anyone who recently used this feature."

News

Blackphone 2 'privacy' Android handset revamped
Security firm Silent Circle has revamped its smartphone that helps people manage personal data.
Chinese smartphones mount massive web attack
More than 650,000 Chinese smartphones have been unwittingly enrolled in a massive attack that overwhelmed a web
Hilton investigates hack claims
The Hilton hotel group has said it is investigating claims its US shops and gift stores may be the source of
Twitter website 'blocked' in Turkey
Twitter users in Turkey report that the social media site has been blocked in the country.

SIGN UP FOR NEWSLETTER

Sign up to received our free newsletter!
Name:
E-mail ID:

MOST READ

Views: 4954 Times
Making a Surreal Manipulation in Photoshop READ MORE
Views: 2727 Times
China hit by 'biggest ever' cyber-attack READ MORE
Views: 2671 Times
Pakistan briefly lifts block on YouTube READ MORE
Views: 5448 Times
Backing Up Gmail Data to Your Computer READ MORE
Views: 7157 Times
How to install Office 2007 Microsoft Windows 7. READ MORE

Home|IT News|Computer Tips|Video Tutorials|Download Softwares|Subjects|Contact Us
Copyright © 2018. Jumbo Education (Information Technology). All rights reserved.
Free counter and web stats

Large Visitor Globe