Facebook password-bypass flaw fixed

The social network corrects a flaw over the weekend that could potentially have put over a million accounts at risk of being accessed by unauthorized users.

Zack Whittaker Writer-editor
Zack Whittaker is a former security editor for CNET's sister site ZDNet.
Zack Whittaker
2 min read

Facebook was vulnerable to a flaw that might have allowed some users to log in without a password. Screenshot by Zack Whittaker/CNET

Facebook this weekend disabled a loophole that might have allowed some accounts to be accessed without a password.

The vulnerability, which was posted to Hacker News on Friday, could potentially have allowed an unauthorized user to access another person's Facebook account.

The flaw centered on e-mails sent out by the social network which contained links that, once clicked, would log a user straight into a Facebook account without the need for any secondary authentication, such as entering a password. The e-mails could be discovered through a simple Google search query, with 1.3 million accounts potentially open to the flaw, according to Hacker News.

As well as bringing up the links that could expose Facebook accounts to unauthorized logins, the search query also showed the e-mail addresses associated with accounts.

The search query that found the links -- which were only temporary and set to expire once the intended user clicked on them -- has since been disabled by Google and no longer displays any results.

Facebook engineer Matt Jones said on Hacker News that Facebook does not share the links. "We only send these URLs to the e-mail address of the account owner for their ease of use and never make them publicly available. Even then we put protection in place to reduce the likelihood that anyone else could click through to the account."

"For a search engine to come across these links, the content of the e-mails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out -- or people whose e-mail addresses go to email lists with online archives)," he added.

Facebook's security system also runs "additional checks to make sure it looks like the account owner who's logging in," according to Jones.

Most of the links in the search results would already have expired, and Facebook has since disabled the feature for the time being, the engineer said.

"Regardless, due to some of these links being disclosed, we've turned the feature off until we can better ensure its security for users whose e-mail contents are publicly visible. We are also securing the accounts of anyone who recently logged in through this flow."