Facebook flaw bypasses password protections

Facebook has moved quickly to shut down a loophole which made some accounts accessible without a password.

The bug was exposed in a message posted to the Hacker News website.

The message contained a search string that, when used on Google, returned a list of links to 1.32 million Facebook accounts.

In some cases clicking on a link logged in to that account without the need for a password. All the links exposed the email addresses of Facebook users.

Throwaway account

The message posted to Hacker News used a search syntax that exposed a system used by Facebook that lets users quickly log back in to their account.

Email alerts about status updates and notifications often contain a link that lets a user of the social network respond quickly by clicking it to log in in to their account.

In a comment added to the Hacker News message, Facebook security engineer Matt Jones said the links were typically only sent to the email addresses of account holders. Links sent in this way can only be clicked once.

"For a search engine to come across these links, the content of the emails would need to have been posted online," he wrote. Mr Jones suspected this is what happened as many of the email addresses exposed were for throwaway mail sites or for services that did a bad job of protecting archived messages.

Most of the million or so links exposed would already have expired, said Mr Jones.

"Regardless, due to some of these links being disclosed, we've turned the feature off until we can better ensure its security for users whose email contents are publicly visible," he said.

Mr Jones added that Facebook had taken steps to secure the accounts of people who had been exposed by the flaw. Many of the exposed accounts were in Russia and China.

In an official statement, Facebook said the links were sent "directly to private email addresses to help people easily access their accounts, and we never made them publicly available or crawlable."

However, it said, the links were then posted elsewhere online which lead to them being indexed on search engines.

It said: "While we have always had protections on these private links to provide an additional layer of security, we have since disabled their functionality completely and are remediating the accounts of anyone who recently used this feature."