Facebook fixes bug affecting Hotmail users

Turkish researchers find hole in password reset feature of Facebook that put some Hotmail users' accounts at risk.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

April 11, 2011 4:39 p.m. PT

Facebook has fixed a bug in the site's password reset feature that could have been exploited to expose passwords of a small number of users who also use Hotmail.

"We can access password of any facebook user who uses hotmail email address as their facebook account," Turkish security researcher Serkan Gencel, wrote in an e-mail to CNET this weekend. "If you have any hotmail account and if it is used as facebook account, we can change and send you your new password:)."

A Facebook spokesman released a statement today confirming the bug and saying it had been fixed.

"We were notified of this vulnerability by a Turkish security researcher via our white hat queue, and we worked to quickly resolve the problem," the statement said.

"When properly notified, we will quickly investigate all legitimate reports of security vulnerabilities and fix potential problems, and have adopted a responsible disclosure policy to encourage notifications," the statement said. "We encourage security researchers who identify security problems to embrace the practice of notifying Web site security teams of problems and giving them time to fix the problems before making any information public."

The company also thanked the researchers for "bringing this to our attention, and demonstrating the value of responsible disclosure."

The problem was covered on this Turkish news Web site.