Monday, November 5, 2012

Facebook cancels shortcut log in over security concerns

What was supposed to be a shortcut for Facebook users to log into their pages ended up exposing their email addresses - and, in some cases, potentially allowing access to their accounts as well. 

A Facebook spokesman said Friday that the company had created the shortcut, called auto login, to let some users go directly to their pages by clicking on a Web link sent to their email addresses. Once they clicked on the link, they could get into their accounts, rather than having to go to Facebook.com and log in. 

Some of the links required users to type their passwords, while others did not, the company said. 
On the website Hacker News, a technology discussion board, Matt Jones, an engineer at Facebook, said the company had offered the service for "ease of use" and never made the Web addresses "publicly available." 

But they did become publicly available, as the discussion on Hacker News revealed Friday. 

The Facebook spokesman, Frederic Wolens, said some users may have posted the links on the Web, allowing anyone to search for them on the Web. Those links could give a stranger access to the Facebook pages connected to them, as well as the email addresses of those users. Wolens said he had no explanation why someone would post the links. 

When Facebook found the problem, it discontinued the shortcut. 

The Hacker News thread said more than 1 million Facebook accounts had been affected. Facebook could not confirm that figure Friday afternoon. 

TrendMicro, a private security company that offers safety tools for Facebook users, said Web address shortcuts were inherently dangerous because they could ultimately end up on the Web. 

"Many, many hackers are targeting these portals because of the ubiquitous trust and use of them," said Tom Kellermann, vice president for cybersecurity at TrendMicro. He added, "You don't take shortcuts through woods in cyberspace." 

The news of the security hole comes a week after a Bulgarian blogger, Bogomil Shopov, said he had bought 1.1 million Facebook users' names and email addresses on the Web for $5. He found the information for sale on a marketplace site, gigbucks.com. The items are no longer available. 

Wolens of Facebook said the data had been acquired and compiled by someone who took whatever information Facebook users made public on their pages - and from other publicly available data about those users. 

Kellermann of Trend Micro said the problem with the shortcut could explain how the names and email addresses that Shopov had found became public. Facebook said the security flaw and the user data for sale had nothing to do with each another. 

"We have no reason whatsoever to believe that these two incidents are related," Wolens said.

No comments:

Post a Comment