A few Facebook users found a loophole within the post via email feature of groups. Luckily, instead of exploiting this, they let Facebook and The Next Web know. Hackers can tweak the “from” field to their victim’s email address to post text and photos as a member of a group. Facebook told The Next Web that while it knows about this issue, there’s not much it can do.
This does not apply to every group, only those that have the group email feature enabled. If a hacker finds out the email address associated with a group member’s profile, the hacker can post as that person.
The three users who found this issue explained it to The Next Web:
Here is how it works: The attacker just has to compose a new email, change the “from” field in the mail header, and replace it with the victim’s email address, and then send the email to the group email address. The exploit works because Facebook does not employ a verification system to check who the email is coming from; the service simply believes the victim is sending the email and posts it as that Facebook user to the group’s wall on the victim’s behalf.
Facebook group email updates, similar to all emails received over SMTP, do not provide authentication for the sender address. This is a known vulnerability of the SMTP system, but Facebook will seek to display a warning whenever the sender cannot be authenticated. To help ensure a secure environment, our system rejects most unauthenticated email to groups, but there are still a few cases where we accept the message and warn the user due to a high rate of false positives and limited adoption of authentication standards. We’re working with the industry to develop better standards and practices to close those remaining holes. We remind all of our users to be careful whenever they receive a message from an unrecognized or unauthenticated source.
Readers: Have you ever seen this pop up in your Facebook groups?
Image courtesy of Shutterstock.