
Tell HN: Forwarded Facebook emails automatically login as recipient - peteforde
I&#x27;m rarely speechless, but my best friend - who is not a developer but tech-savvy - just forwarded an email invite to an event that she wants me to come to with her. The email was a standard transactional Facebook event notification.<p>When I clicked on the event, I was logged into Facebook as my friend.<p>Full privileges. I could have done anything. I logged out, called her immediately and explained that a) she shouldn&#x27;t send anyone transactional emails from Facebook and b) that in my opinion, she hadn&#x27;t done anything wrong.<p>This is an outrageous security violation, as well as a violation of the principle of least surprise. It seems completely reasonable to me that someone would forward an event invitation to other people. I see this kind of thing with older folks, in particular. The obvious concern, here, is that someone could (not should) forward that email to a much larger group of people.<p>In an era where people are unfortunately reliant on Facebook for their identity management, social connections and even professional networking, the idea of losing access to your Facebook profile to an unknown actor is terrifying. I don&#x27;t understand how this ever made it past QA.<p>If you work at Facebook, fix this right now.
======
eganist
Any particular reason you didn't report this through facebook.com/whitehat
_after googling how to report security issues to facebook?_ Or attempt to
reproduce it independently after reading instructions for best practices when
doing so on the aforementioned page? I can only assume it's because these
patterns and facilities weren't within your awareness at the time, which is
fine, but ideally you may consider these both in the future.

I point this out not only because this kind of blast looks bad (even among
full-disclosure circles), but because if it's a valid find, you just passed up
potentially a five figure sum.

~~~
khazhou
I will kindly suggest that in the future, instead of phrasing advice in the
form of "Any particular reason you didn't do the thing which to me is
obviously the only smart thing to do?", you could give feedback more
prescriptively and without any implied accusations.

For example:

"peteforde, in the future please do the following instead of posting on HN:

\- Google "how to report security issues to <whatever company>"

\- In this case, you will be directed to facebook.com/whitehat

\- You should try to reproduce this independently first, after reading the
best practices for doing so at the URL above.

And, there may be a five-figure sum for you if you indeed find a
vulnerability, and report it as above."

~~~
insickness
To me the wording, "Any particular reason you didn't do x?" wasn't an implied
accusation. In fact it was the opposite. It was assumed that the original
poster had taken all measures and had a good reason why they didn't take the
action. It is similar to saying, "Have you considered...?" It is a less
combative way to say, "You should have done x," which does implied that the
original poster did something wrong.

------
Hyperized
For what it's worth:

I actually reported this very issue to FB over two weeks ago and at first they
denied this being an issue, it's a feature instead. After pushing a little I
had them admit that this is actually a real security leak, however they argued
that I was _not_ the first one to find and report this. That means no six
figure bounty. They have since closed the ticket with what's basically a: will
fix in the future.

After some discussion I found the following:

\- Facebook at the very core assumes you don't forward your emails, the
security staff I talked to didn't seem to understand this is a very basic
flawed assumption.

\- It's by no means a one time use token, you can keep using it over and over
again. I don't understand why, they could've just used a single use token if
anything.

\- It's bound by some kind of security mechanism, and from my PoC I found it
to be simply your IP. I suspect your friend has logged onto or simply used
Facebook from your IP address.

\- The emails don't indicate the button you are about to press actually
contains private information. This is bad UX. If people were told that the
emails should be kept private and not shared (not the case) then this could be
different.

This _seems_ to be a feature that they built so people can log in, even if
they have forgotten their passwords, in order to keep user engagements high.

It also opens up a can of worms. For example, if you break up with a partner
and you still have an ancient forwarded email, you can now simply log in as
them and have full control over their account. I suspect there's also little
protection for public WiFi that shares the same IP, such as coffee places,
cafes/bars or public transport hubs. If you see anyone there that has ever
forwarded you an email, you now own their account ;).

But remember folks, that's not a bug. It's a feature!

Edit: At this point I actually don't believe this is new for FB. For me this
is proof that business overtook good engineering and that there's simply a box
checked with 'accepted risk'. There is either no actual previous report or
people have been reporting this for a long time, but there seems to be no
willingness to fix this.

To me it seemed to be hugely connected to last weeks '50 mil account token'
leak but this is separate, accounts that I tested my PoC on can still be
accessed and it's telling that even after last weeks PR nightmare this
'feature' is still online.

~~~
Guest9812398
Do the links ever expire? Or, if i get access to a single Facebook email
belonging to someone, I can access their account for life, regardless of
whether years have passed, and they changed their password?

~~~
Hyperized
The links that I have tried do not expire. I can't tell you how long they will
last.

------
forgingahead
This is great! Now every app that allows their users to sign in using their
Google account, and asked for blanket "let's read all your email" permissions,
can simply trawl through that data trove for this same email notification from
Facebook, and have access to that user's account.

------
gojomo
Can't reproduce. #WONTFIX. Closing.

[If we're pretending HN is an FB security-issue reporting-system, I'll pretend
I'm an inattentive FB engineer!]

~~~
peteforde
I was just able to login again, using the same email link.

Proof: [https://imgur.com/a/AgTVgZK](https://imgur.com/a/AgTVgZK)

~~~
subcosmos
under an incognito tab?

~~~
peteforde
No, Incognito forces a login.

My browser has a Facebook user logged in. However, this user is a dev account
that has zero friends. This shouldn't, IMHO, change anything.

~~~
subcosmos
followup question :

Is this an app "test user" account you are logged into? Has the user in
question authorized the app you are developing?

~~~
peteforde
My friend is not a test user, and my dev user is literally just for doing QA
on social graph tags for an otherwise unrelated project. My friend hasn't seen
my project or interacted with this dev account in any way.

------
artemisyna
You sure your friend hadn't previously logged in to her FB on whatever browser
your email happened to open things to?

~~~
peteforde
Yes. She's never been on or near this machine. I have no idea of her
credentials, and nor would I want to.

~~~
subcosmos
token string in the URL?

~~~
peteforde
Correct.

------
godot
Unrelated to FB, but one of the things that popular email clients (Gmail,
Hotmail, Yahoo, etc.) could be doing is a "forward without links" feature (or
even "forward without links with credentials" by detecting for query params in
links and only excluding those), where it'd be enabled when forwarding an
email (you can manually disable it if you know what you're doing).

------
mr_monkeywrench
Could you provide more info

Oath2 shouldn't aloow this. Also you say you're logged in as a Dev acct. Dev
accts are sandboxed to the dev app ID.

Could you use Loom to show a video of this big?

~~~
peteforde
For clarification, it's not a Facebook developer account. This is just a dummy
account I've been using to verify the social graph headers are working when I
post pages from an unrelated project. It's technically against FB policy to
have an account that isn't a real person. This dummy user has no friends; my
human friend has not interacted with it in any way.

I did post a partial screencap elsewhere in the thread. I'm not comfortable
creating a video but I would be happy to provide further details to FB
security folks.

For what it's worth, part of the reason I posted to HN was that it's clear to
me that this is intended functionality. Bugs don't usually say "welcome back".

I believe that the risk associated with this feature dramatically outweighs
the upside.

------
timdavila
I've never understood why any company emails magic log-in links in anything
except a password reset (which should immediately prompt for a new password
and send the user a notice that their password has been changed)

------
LocalMan
Of course, the optimal way to respond to this is a contradiction: Raise a big
stink, but secretly. This is not easy. I think the history of the "Tempest"
security bug should be re-read every few years.

