Facebook security loopholes keep surfacing on the web now and then. However, the good part is that the social network is now becoming quicker in addressing such issues as soon as they surface. For instance, it has now patched a critical vulnerability which could enable a hacker to log in to an account without providing the password.
The bug was discovered when a user posted it in his message on a hackers forum. The message contained a search string which, when punched into Google, returned a link that contained a list of 1.32 million Facebook accounts.
Interestingly, when you clicked on many of these links, you could log into those accounts without even providing a password! Facebook was swift in responding to this by explaining that these links were essentially confidential and were usually sent to the users directly. The links allow a user to then respond to a status update or a message with a single click.
According to Facebook’s security engineer, Matt Jones, “For a search engine to come across these links, the content of the emails would need to have been posted online.” Jones further explained that these links were leaked probably due to poorly archived messages by an email service.
Nonetheless, Facebook has disabled the feature altogether, at least for the time being. “We’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible” Jones said.
The social network also released a separate, official statement which read, “While we have always had protections on these private links to provide an additional layer of security, we have since disabled their functionality completely and are remediating the accounts of anyone who recently used this feature.”