Facebook has moved quickly to shut down a loophole which made some accounts accessible without a password.
The bug was exposed in a message posted to the Hacker News website.
The message contained a search string that, when used on Google, returned a list of links to 1.32 million Facebook accounts.
In some cases clicking on a link logged in to that account without the need for a password. All the links exposed the email addresses of Facebook users.
Throwaway account
The message posted to Hacker News used a search syntax that exposed a system used by Facebook that lets users quickly log back in to their account.
Email alerts about status updates and notifications often contain a link that lets a user of the social network respond quickly by clicking it to log in in to their account.
In a comment added to the Hacker News message, Facebook security engineer Matt Jones said the links were typically only sent to the email addresses of account holders. Links sent in this way can only be clicked once.
No comments:
Post a Comment