In association with heise online

02 November 2012, 15:23

Speculation over Facebook access via Google index

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Google/Facebook According to a report on HackerNews, until recently a special Google search query returned numerous Facebook links permitting access to other users' accounts. The links contain a token which automatically logs into someone else's Facebook account. The search results are also reported to have contained links providing access to other users' email addresses.

The links appear to have come from notification emails sent out by Facebook in response to events such as being tagged by another user in a photo. The emails contain a direct link to the relevant event on Facebook. To make it easier for users to log in, Facebook includes the user's email address in the link URL.

This is then entered into the relevant field on the login page automatically and users need only enter their password – and even this can be omitted if they are already logged in. In some cases Facebook also uses links containing tokens which log users in without requiring a password. This is not a security problem in itself, since Facebook sends these emails directly to the account owner.

The problem arises when these links, as here, fall into the wrong hands. At the moment, it remains unclear how they came to be indexed by Google. Facebook employee Matt Jones hypothesises on HackerNews that the notification emails may have been made publicly available for reasons such as the use of a throwaway email site, access to which does not require a password.

According to one comment on HackerNews, many of the email addresses are in fact from the domain, a Russian provider of throwaway email addresses. Indeed the site's main page consists of a global inbox, listing all emails received for all users. Users who have registered their Facebook account using a service of this type should not be surprised if others access their accounts.

According to Jones, Facebook has now deactivated token-based logins. Google also appears to have taken action, with the links in question having largely vanished from its search results.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit