Nov 042012

facebookThere are too many uses and benefits of Social Networking site i.e. Even having too much uses and benefits, it has some of the drawbacks too. The one of the drawback or security vulnerability is exposing nowadays. There is the issue of security even it has moved quickly to shut down the gap which made some accounts accessible without a password.

The issue was exposed in a message that is posted to the Hacker News website. The message contained a search string that when used on Google, returned a list of links to 1.32 million Facebook accounts. If some of the links are clicked then it will logged into the account without the need of a password. All the links exposed the email addresses of the Facebook users.

The search syntax uncovered a system used by Facebook that lets users quickly log back into their account.

Facebook has also provided a link in email about status updates and notifications for the user to respond it quickly by clicking it to log in into their account.

Facebook security engineer Matt Jones said the links were typically only sent to the email addresses of account holders. Links sent in this way can only be clicked once.

“For a search engine to come across these links, the content of the emails would need to have been posted online,” he wrote. Mr Jones suspected this is what happened as many of the email addresses exposed were for throwaway mail sites or for services that did a bad job of protecting archived messages.

Most of the million or so links exposed would already have expired, said Mr Jones.

“Regardless, due to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible,” he said.

Mr Jones added that Facebook had taken steps to secure the accounts of people who had been exposed by the flaw. Many of the exposed accounts were in Russia and China.

In an official statement, Facebook said the links were sent “directly to private email addresses to help people easily access their accounts, and we never made them publicly available or crawlable.”

However, it said, the links were then posted elsewhere online which lead to them being indexed on search engines.

It said: “While we have always had protections on these private links to provide an additional layer of security, we have since disabled their functionality completely and are remediating the accounts of anyone who recently used this feature.”