Facebook, known for its privacy efforts, has moved quickly to shut down a loophole which made some accounts accessible without a password. The error was exposed in a message posted to the Hacker News website. On the message, there was a search sting that, when used on Google, returned a list of links to 1.32 million Facebook accounts. Clicking the link loggin in to that account without the need to log in on some cases. All the links showed the email addresses of the Facebook users.
The message posted on Hacker News used a search syntax that exposed a systm used by Facebook that allows users to quickly log back in to their accounts. Email alerts that are sent out to users of the network regarding status updates and notifications allows for users to respond quickly and log in to their account simply by clicking it. Facebook security engineer, Matt Jones, said the links were typically sent out to the email addresses of perspective account holders and that the links could only be clicked once. Jones states, “For a search engine to come across these links, the contents of the emails would need to have been posted online.” Mr. Jones believes this is what happened due to the email addresses that were listed were for throwaway mail sites or for services that did a bad job of protecting archived messages. Jones says most of the millions of the links would have already expired.
Facebook has turned the feature off due to the exposure of the exposure of the links until the security issues are resolved. Facebook has taken steps to secure the accounts of people who have been exposed by the flaw. Many of the accounts came from Russia and China.
In an official statement, Facebook said the links were sent privately to the email addresses and not made publicly available. However, the links somehos were made available online which allowed them to be found on search engines.
Signed, Shanika Simmons
