Facebook Software Engineer Matt Jones responded to a report on Hacker News about a loophole in emails sent out by the social network that could have allowed anyone who found the content of those emails via Google searches to access users’ accounts without entering passwords.
The loophole involved emails about friend requests or friends commenting on status updates, which allow recipients to enter their Facebook accounts without authentication. The Hacker News report added that Google users who discovered the content of these emails also had access to the email addresses associated with the Facebook accounts.
Jones posted on Hacker News:
My name is Matt Jones, and I work on the Facebook security team that looked into this tonight. We only send these URLs to the email address of the account owner for their ease of use and never make them publicly available. Even then, we put protection in place to reduce the likelihood that anyone else could click through to the account.
For a search engine to come across these links, the content of the emails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out — or people whose email addresses go to email lists with online archives).
As jpadvo surmised, the nonces expire after a period of time. They also only work for certain users, and even then we run additional security checks to make sure it looks like the account owner who’s logging in. Regardless, due to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible. We are also securing the accounts of anyone who recently logged in through this flow.
In the future, if you run into something that looks like a security problem with Facebook, feel free to disclose it responsibly through our whitehat program: https://www.facebook.com/whitehat. That way, in addition to making some money, you can avoid a bunch of script kiddies exploiting whatever the issue is that you’ve found.
Sophos’ Naked Security blog also weighed in on the loophole:
Hopefully this isn’t a news flash, but emails are not secure nor private if you haven’t encrypted them.
This is the same reason we don’t email people our credit card information and don’t send new passwords to people via email. It’s not secure.
Facebook has suspended the practice, albeit temporarily. Let’s hope it wises up and realizes this cannot be done safely and leaves it disabled permanently.
Most users stay logged into Facebook and don’t clear their cookies as it is. Having a password bypass by magic link is simply unnecessary.
Image courtesy of Shutterstock.