Not much to say. It seems incredible but clicking on any of these results in most cases accede directly to the account of such person or, if not, it shows the user's email which is serious anyway.
Just as important is your facebook security.
We reported the problem and I'm waiting for an answer.
Edit2: this is the answer to Facebook
My name is Matt Jones, and I work on the security team Facbook That Into This looked tonight. We only send URLs to the These email address of the account owner for Their ease of use and never make them publicly available. Even then we put protection in place to reduce the likelihood That Could anyone else click through to the account.
For a search engine to come across these links, the content of the emails would need to Have Been posted online (eg via email throwaway sites, as someone pointed out - Whose email addresses or people go to email lists with online archives).
Jpadvo As surmised, the nonces expire after a period of time. Also They only work for Certain users, and even then we run additional security checks to make sure it looks like the account owner who's logging in. Regardless, due to some of these links being Disclosed, we've turned the feature off Until We Can Ensure better security for its email users Whose contents are publicly visible. We are also securing the accounts of anyone who recently logged in. Through This flow.
In the future if you run into something that looks like a security problem with Facebook, feel free to disclose it responsibly through our whitehat program: https://www.facebook.com/whitehat . That way, in Addition to making some money, you can avoid a bunch of script kiddies exploiting whatever the issue is that you've found.
Facebook engineer wanted me to feel bad saying that I missed a few dollars by not having contacted directly.
I challenge you to find a contact form https://www.facebook.com/help/ 
Edit3: Post on The Next Web
Edit4: Google removed the results
Edit5: Post on BBC
LINK: Spam in google group
Link: Spam in various blog from Google search
Since this is already out there as a known issue, and concerns Google too, check out:
here is the links
Here is the main Vulnerability in facebook.
http://www.facebook.com/n/?groups%[id here]%2Fpermalink%[id here]%2F&mid=[id here]&bcode=[id here]-mjoi&n_m=[email adress here]
When I clicked the url I got automatically logged into my friend's account.
So is definitely a Facebook security issue.
Then I tried some google searches to see if I could find some urls containing the parameters:
"bcode= &email= n_m= mid="
inurl:bcode=[*]+n_m=[*] site:facebook.com
Not a big deal, really, Google had remove all url of facebook vulnerability form search .
0 comments:
Post a Comment