Loophole in Facebook shortcut for auto-login affects 1 million accounts

Here’s a good reason why you should be wary of shortcuts. As per a report in the New York Times, a shortcut to make logging into Facebook easy and quick, ended up exposing users e-mail addresses. In some instances, these shortcuts even led to users having the security of their accounts compromised. While the auto-login feature now stands discontinued, a spokesperson for Facebook confirmed that the company had coined the auto-login to quite simply let users access their pages directly (i.e. by not logging onto Facebook.com and logging in), by clicking on a web link emailed to them. Users used this method to directly access their pages. Now, a couple of these web links required the users to enter their passwords, while the others did not. A Facebook engineer said on Hacker News that the service had only been introduced to offer “ease of use” and that the e-mail address weren’t available publicly. In the latest discussion on the website it had become clear that the e-mail addresses were indeed available publicly. 



A wrong shortcut



While giving no explanation on as to why someone would post the links, Facebook spokesman, Frederic Wolens hinted users having possibly posted the links on the web. This potentially enabled anyone to search for them and these links could “give a stranger access to the Facebook pages connected to them, as well as the e-mail addresses of those users”.


As per the New York Times report, the discussion thread on The Hacker News had confirmed that the loophole affected a staggering 1 million Facebook accounts. Tom Kellermann, vice president for cyber security at TrendMicro added, "Many, many hackers are targeting these portals because of the ubiquitous trust and use of them. You don’t take shortcuts through the woods in cyberspace".


Facebook is pushing to make its privacy settings easier to understand and use. According to an announcement by the social networking giant, those signing up for a new account on Facebook will be greeted by a detailed description of how the privacy settings work. 


According to the post by Facebook, “We’ve implemented these enhancements as part of our broader effort to integrate more privacy education into the new user experience. We appreciate the guidance on this effort that we’ve received from the Irish Data Protection Commissioner’s Office, the regulatory oversight agency for our services outside of the United States and Canada.”

Published Date: Nov 03, 2012 05:43 pm | Updated Date: Nov 03, 2012 05:43 pm