Facebook flaw bypasses password protections (http://www.bbc.co.uk)
Facebook has moved quickly to shut down a loophole which made some accounts accessible without a password.
The flaw was a functon used by Facebook that lets users quickly log back in to their account. Email alerts about status updates and notifications often contain a link that lets a user of the social network respond quickly by clicking it to log in in to their account. Somehow search engines were able to locate these emails with the links and display them.
Facebook security engineer Matt Jones said the links were typically only sent to the email addresses of account holders. Links sent in this way can only be clicked once. For a search engine to come across these links, the content of the emails would need to have been posted online,” he wrote. Mr Jones suspected this is what happened as many of the email addresses exposed were for throwaway mail sites or for services that did a bad job of protecting archived messages.
Most of the million or so links exposed would already have expired, said Mr Jones.
“Regardless, due to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible,” he said.
(Continue reading at http://www.bbc.co.uk)
My Two Cents: I feel this feature is a huge security problem, and it was smart for facebook to remove it. I personally would have never allowed a feature like this to exist in the first place.
