Facebook turns off login-by-email feature after links found online

Summary:The social network has temporarily turned off a feature that let people log into their accounts simply by clicking a link in an email, after some emails containing such links were found online.

Facebook has turned off a feature that let people log into their accounts simply by clicking on a link in emails sent to them by the social network, after many such links were found on the web.

The issue was reported late last week through a post on Hacker News. It affected links in Facebook emails of the 'X wants to be friends' variety. These links are designed to be clicked once by the account holder, but many of those found online were unclicked and able to allow an outsider access to the relevant Facebook account.

Even with links that were no longer valid, the string in the link would show the user's email address.

In a reply to the original post, Facebook security engineer Matt Jones said it would be unusual for such links to get posted online, but the veracity of those people had found on the web had led Facebook to turn the feature off "until we can better ensure its security for users whose email contents are publicly visible".

"For a search engine to come across these links, the content of the emails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out — or people whose email addresses go to email lists with online archives)," Jones wrote.

Jones added that the links expire after a period of time if they remain unclicked. "They also only work for certain users, and even then we run additional security checks to make sure it looks like the account owner who's logging in," he added.

The engineer also pointed out that those finding flaws in Facebook's security should disclose them responsibly through its white hat hacker program, so that "in addition to making some money, you can avoid a bunch of script kiddies exploiting whatever the issue is that you've found".

Topics: Security

About

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't be paying many bills. His early journalistic career was spent in general news, working behind the scenes for BBC radio and on-air as a newsreader for independent stations. David's main focus is on communications, of both... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.