Forward me an email and I can log into your facebook account
Albeit a slightly over exaggerated title, the sentiment reins true. Let me tell you a story, a story that happened to me, but may well have happened to you.
I do not have facebook. This is an important establishing fact, but this can happen if you do have it too. My Nan e-mails me from time to time, she also texts me and she has facebook. From what I can tell thats a pretty connected Nan, someone who is around [REDACTED] having that much grasp on things created in the last decade is impressive, but as you can imagine its not all fully grasped.
She received a message on messenger and also has the preferences (which I would guess is default) where she receives an email notification about said message. The message is generic, simply saying “[NAME] sent you a message. Open in messenger” with the latter text being a button. Its this button, where the danger lies.
I imagine my Nan thought that because she saw the message she wanted me to see via this email and link, that forwarding it on to me would allow me to see the same. A claim that logic backs, but with the understanding of privacy on the internet that comes with having grown up with it, would imagine to be false and for what its worth I shrugged it off as being false. I clicked the link, thinking that POSSIBLY facebook displayed a snippet if you are not logged in as the account holder, but as I thought it displayed a page that said ‘To see the message, continue to log in’ or something to that effect.
I leave it at that, not thinking anything of it. And its at this point I reiterate I don’t have facebook, so any facebook links I receive I see very differently to everyone else. This was how I found out about this bizarre turn of events, I opened a facebook event link and my page looked very different from usual. I had a chat bar and notifications and it displayed a name close to my name, but not my name…
After clicking that link, I was logged fully into someone else’s account
No password, only the link (which has no special thing from the email, it can be copied and pasted to anyone else to use) fully authenticated me to my Nan’s account, unlimited access.
But this situation is unlikely to happen often?
A-ha! I thought you might say this. It is unlikely to happen, I agree. It was only because it was someone from a different generation with less understanding of how these things work, doing something that led to this happening. But my Nan is not the only person from this generation on Facebook. In fact doesn’t the media tell you that the generation above me and other millennials, is in fact the main group who uses Facebook?
So my argument is here, is that its unlikely, but yet it happened, so one could assume it would again. Especially from a company that boasts something ludicrous like 2 billion monthly users.
And that is ignoring the potentially more farfetched ideas of e-mail dumps or someone sitting on someones unlocked computer, because like I said there is no more steps needed other than clicking that link. Admittedly I didn’t test 2 factor authentication but (and apologies for the wild claim) if you are forwarding an email like this one to anyone, theres a good chance you might not have 2 factor authentication.
Why not report it to the bug bounty program?
I did. They told me it was not a bug. They said that if they have reason to believe the account holder is clicking the link, they will automatically log them in. So how could they try and do that? These are just wild guesses but lets see:
- Having a token (provided in the link email — not uncommon)
- Using some geolocation identifying
- Having other parameters supplied in the email link
- Time from e-mail sent (expiring token)
So let me just say this, I live in the same country as my Nan, but pretty polar opposite locations, Hull -> London. Is this catchment area acceptable already?
The token, should count for something but at least in my mind, being able to pass authenticated credentials etc. fully to someones account, SURELY is a no no? I wouldn’t ever build it into a site I made (I realize I don’t have the same ideas or concerns) simply because it feels like a vulnerability.
Other parameters, I don’t know if an e-mail could be smart enough to know where it started — just spitballing.
And an expiring token, this surely seems like at least the safety net for the token. Yet 4 days later, I can still use it just fine!
Maybe I’m wrong, it just seems crazy
I was really excited about finding this bug, the thought of retiring off the huge facebook cash I would get paid out was really warming. So I really sensationalized it, but I have to accept that maybe people could rebut this and tell me why it isn’t a big deal. But right not it seems ludicrous. And I am creating this post for debate / exposure / because Facebook didn’t think it was interesting.
