Convenience trumped security bypassing passwords on Facebook

Filed Under: Facebook, Privacy, Vulnerability

Shutterstock image of no keys neededWe've all seen the emails, "*FRIEND* wants to be friends with you on Facebook", or "*FRIEND* commented on your status."

When you receive these messages there is a convenient button "Confirm friend request" or "See comment" embedded in the email message.

To ensure a frictionless experience, Facebook was embedding a cookie-like identifier in the links so you would not need to login to Facebook to acknowledge friend requests and other messages.

Anytime there is a method to bypass a security mechanism it will be abused and this feature was no exception.

According to the BBC a message was posted to The Hacker News showing how to identify messages from Facebook that contain these secret links using search engine queries.

A Facebook security engineer seemed surprised that this happened saying to the BBC "For a search engine to come across these links, the content of the emails would need to have been posted online."

Hopefully this isn't a news flash, but emails are not secure nor private if you haven't encrypted them.

This is the same reason we don't email people our credit card information and don't send new passwords to people via email. It's not secure.

Facebook has suspended the practice, albeit temporarily. Let's hope they wise up and realize this cannot be done safely and leave it disabled permanently.

Most users stay logged into Facebook and don't clear their cookies as it is, having a password bypass by magic link is simply unnecessary.

Facebook said the links were only valid for one click which strangely put users who follow our advice to not click links in emails at greater risk than those who clicked them.

Despite how this *did* work, don't click links in emails. Hopefully this is a lesson to any other organizations who may have been allowing similar authentication bypasses to stop.

No keys needed image courtesy of Shutterstock.

, , ,

You might like

12 Responses to Convenience trumped security bypassing passwords on Facebook

  1. Freida Gray · 531 days ago

    Those links really didn't work for me anyway.The only time I clicked to confirm a friend request from my e-mail the request wasn't confirmed.I also had to log back in to Facebook to confirm the request.When I did so,there was no request & no friend added.

    • Are you sure you weren't phished? You clicked the link in the email, which took you to a fake Facebook page asking you to login. You logged in (thus giving your login details to the phisher), but when redirected to *actual* Facebook, you had no request (because it was a phishing email?) Just a thought...

  2. Mick · 531 days ago

    Are password reset emails similarly at risk where anyone accessing the email in transit can jump in and change the password and take control of the account?

    • Chester Wisniewski · 531 days ago

      Yes. Email is unencrypted and available to anyone who can see the bits.

      • John Shier · 531 days ago

        Protect the bits!

      • Nigel · 529 days ago

        Chet: Some of us do use encrypted email, so it's not strictly true to say that email is unencrypted. Alas, so few use encryption that, for all practical purposes, your statement covers the overwhelming majority of messages.

        I have thought it through, and as far as I have been able to figure out, the widespread use of encrypted email would solve more problems than it would create. Yet, for the life of me, I still can't comprehend why the majority of people DON'T use email encryption.

        I have received messages from Sophos folks, and not one of them has ever been signed by an X.509 cert with a PKCS encryption key attached. If I cannot even correspond securely with a company like Sophos, it's clear that I need to adjust my expectations for the rest of the human species down to somewhere around zero. (sigh)

        • Chester Wisniewski · 528 days ago

          No one receives encrypted email from Facebook though (that I am aware of).

          Many of us at Sophos do sign our mail, but as you point out we do not have a standard policy to do so.

          I don't disagree with any of your points, but we have been trying to move beyond RFC822/SMTP and toward signatures, DKIM/SPF, etc, etc for 25 years and have not made much progress.

          Legacy bites.

  3. Don't they even consider the user's security?

    Obviously not.
    We're not customers ... we're the product.

    • NIgel · 529 days ago

      "We're not customers ... we're the product. "

      The fact that most Facebook users don't understand that is the key to Facebook's success.

  4. this is rather interesting as the links always work for me but only the one time so now I am confused. do I use these links or not, decision time, I found it better to sign out of my e-mail account and sign directly with Facebook rather than going through the e-mail account

    I have sent Facebook an e-mail requesting as to whether my account has been used by a third party but no reply has been received from Facebook .

    In my mind there is now doubt about Facebook security and as such I am considering removing my account from this social site. does anyone know of any social sites that are safe as it appears to me that the internet is completely corrupt with nothing but crooks on board.

    • You will find that it is next to impossible to remove a Facebook account without obtaining a court order. Why would Facebook destroy part of the product they are selling to their customers - the advertisers?

  5. My sister-in-law has been dead for about 2 years. Facebook won't remove her account (because that would be removing their ability to defraud their customers), and it's unusual for a week to go by without someone on Facebook asking me how they got a friend request from her (not via email, within Facebook's message system).

    My answer is simple: Facebook is a bit less secure than free-range chickens in fox country.

    I'm posting this from a Facebook account, partly to prove a point.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.