A serious flaw has been discovered that allowed anyone to basically login to other’s Facebook account without the need of a password.
The flaw, which was posted on The Hacker News website, uses a search string. When you google this search string, around 1.34 million results of different Facebook profiles are obtained and when you click on some of the links, you will automatically log in to the profile associated with that particular link.
The flawed links are the ones that are mailed to users to notify them of comments or other notifications. These are designed to help users to respond quickly to those notifications without having to login. Those URLs are designed in such a way that they will only work once, Matt Jones, a Facebook engineer said in a comment made at the Hacker News.
For a search engine to come across these links, the content of the emails would need to have been posted online.
Regardless, due to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible.
Facebook has now disabled the feature to protect its users and is helping exposed users with securing their accounts. Most of the exposed users are said to be from Russia and China.