We’ve all seen the emails, “*FRIEND* wants to be friends with you on Facebook”, or “*FRIEND* commented on your status.”
When you receive these messages there is a convenient button “Confirm friend request” or “See comment” embedded in the email message.
To ensure a frictionless experience, Facebook was embedding a cookie-like identifier in the links so you would not need to login to Facebook to acknowledge friend requests and other messages.
Anytime there is a method to bypass a security mechanism it will be abused and this feature was no exception.
According to the BBC a message was posted to The Hacker News showing how to identify messages from Facebook that contain these secret links using search engine queries.
A Facebook security engineer seemed surprised that this happened saying to the BBC “For a search engine to come across these links, the content of the emails would need to have been posted online.”
Hopefully this isn’t a news flash, but emails are not secure nor private if you haven’t encrypted them.
This is the same reason we don’t email people our credit card information and don’t send new passwords to people via email. It’s not secure.
Facebook has suspended the practice, albeit temporarily. Let’s hope they wise up and realize this cannot be done safely and leave it disabled permanently.
Most users stay logged into Facebook and don’t clear their cookies as it is, having a password bypass by magic link is simply unnecessary.
Facebook said the links were only valid for one click which strangely put users who follow our advice to not click links in emails at greater risk than those who clicked them.
Despite how this *did* work, don’t click links in emails. Hopefully this is a lesson to any other organizations who may have been allowing similar authentication bypasses to stop.Follow @chetwisniewski
No keys needed image courtesy of Shutterstock.