A hacker news member noticed that performing a Google search for ‘inurl:bcode=[*]+n_m=[*] site:facebook.com’ displays the Facebook accounts of approx. 1.3 million users. These Facebook links could be utilized to see the users email address through which he/she has signed up for Facebook. However, the particular search trick has been removed from Google as soon as it was noticed.
This is How everything started
The Hacker Group member ‘nico-roddz’ friend forwarded an email from Facebook group notification with mentioned link:
http://www.facebook.com/n/?groups%[id here]%2Fpermalink%[id here]%2F&mid=[id here]&bcode=[id here]-mjoi&n_m=[email adress here]
When nico clicked the link, he was automatically logged into his friend’s account who had sent the email and as stated by nico-roddz, It was a Facebook security issue. After that the nico tried to do Google search to see if he could find some URLs containing the parameters:
bcode= &email= n_m= mid=
And he was able to see over 1 million+ active Facebook links ready to expose themselves.
Just after this incident, Matt Jones from Facebook Security Team noticed the thread posted by nico-roddz on Hacker news website and intervened quickly. Matt Jones, published a new thread on Hacker News and said:
My name is Matt Jones, and I work on the Facbook security team that looked into this tonight. We only send these URLs to the email address of the account owner for their ease of use and never make them publicly available. Even then we put protection in place to reduce the likelihood that anyone else could click through to the account.
For a search engine to come across these links, the content of the emails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out – or people whose email addresses go to email lists with online archives).
As jpadvo surmised, the nonces expire after a period of time. They also only work for certain users, and even then we run additional security checks to make sure it looks like the account owner who’s logging in. Regardless, due to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible. We are also securing the accounts of anyone who recently logged in through this flow.
In the future if you run into something that looks like a security problem with Facebook, feel free to disclose it responsibly through our whitehat program:https://www.facebook.com/whitehat. That way, in addition to making some money, you can avoid a bunch of script kiddies exploiting whatever the issue is that you’ve found.
In such incidents users can’t even help themselves to secure their personal data as it not in their hand. Also, security is not permanent, day by day new vulnerability will be found and social media firms & search engines should be able to respond zero-day vulnerabilities and issues on priority. In this incident Only email address of Facebook users went online and what will happen next no body knows. On the other hand its everybody’s responsibility to report anything suspicious and which is not obvious to concerned website and team.None found.