Facebook has turned off a feature that let people log into their accounts simply by clicking on a link in emails sent to them by the social network, after many such links were found on the web.
The issue was reported late last week through a post on Hacker News. It affected links in Facebook emails of the 'X wants to be friends' variety. These links are designed to be clicked once by the account holder, but many of those found online were unclicked and able to allow an outsider access to the relevant Facebook account.
Even with links that were no longer valid, the string in the link would show the user's email address.
In a reply to the original post, Facebook security engineer Matt Jones said it would be unusual for such links to get posted online, but the veracity of those people had found on the web had led Facebook to turn the feature off "until we can better ensure its security for users whose email contents are publicly visible".
"For a search engine to come across these links, the content of the emails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out — or people whose email addresses go to email lists with online archives)," Jones wrote.
Jones added that the links expire after a period of time if they remain unclicked. "They also only work for certain users, and even then we run additional security checks to make sure it looks like the account owner who's logging in," he added.
The engineer also pointed out that those finding flaws in Facebook's security should disclose them responsibly through itsprogram, so that "in addition to making some money, you can avoid a bunch of script kiddies exploiting whatever the issue is that you've found".