Facebook flaw bypasses password protections

Facebook homepage The flaw meant many accounts were viewable with a click

Related Stories

Facebook has moved quickly to shut down a loophole which made some accounts accessible without a password.

The bug was exposed in a message posted to the Hacker News website.

The message contained a search string that, when used on Google, returned a list of links to 1.32 million Facebook accounts.

In some cases clicking on a link logged in to that account without the need for a password. All the links exposed the email addresses of Facebook users.

Throwaway account

The message posted to Hacker News used a search syntax that exposed a system used by Facebook that lets users quickly log back in to their account.

Email alerts about status updates and notifications often contain a link that lets a user of the social network respond quickly by clicking it to log in in to their account.

In a comment added to the Hacker News message, Facebook security engineer Matt Jones said the links were typically only sent to the email addresses of account holders. Links sent in this way can only be clicked once.

"For a search engine to come across these links, the content of the emails would need to have been posted online," he wrote. Mr Jones suspected this is what happened as many of the email addresses exposed were for throwaway mail sites or for services that did a bad job of protecting archived messages.

Most of the million or so links exposed would already have expired, said Mr Jones.

"Regardless, due to some of these links being disclosed, we've turned the feature off until we can better ensure its security for users whose email contents are publicly visible," he said.

Mr Jones added that Facebook had taken steps to secure the accounts of people who had been exposed by the flaw. Many of the exposed accounts were in Russia and China.

In an official statement, Facebook said the links were sent "directly to private email addresses to help people easily access their accounts, and we never made them publicly available or crawlable."

However, it said, the links were then posted elsewhere online which led to them being indexed on search engines.

It said: "While we have always had protections on these private links to provide an additional layer of security, we have since disabled their functionality completely and are remediating the accounts of anyone who recently used this feature."

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(Getty Images)

Secrets of the aircraft boneyards

The vast storage sites for surplus planes Read more...

Programmes

  • A computer simulation showing a planned station upgrade in Hong KongClick Watch

    Simulated world - how architects are using virtual and augmented reality to transform our cities

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.