Facebook e-mail notifications breach privacy

Facebook e-mail notifications breach privacy

Summary: Shortly after joining the social networking site Facebook, I received an e-mail telling me a friend had "written on my wall". Within two clicks I was logged-in and had full access to her account.


Shortly after joining the social networking site Facebook, I received an e-mail telling me a friend had "written on my wall". Within two clicks I was logged-in and had full access to her account.

At first I was very confused -- I had only used the site for a day or two and thought I may have done something wrong but when I managed to change her status message to "is being hacked", I knew something was wrong.

I logged out (of her account) and then tried clicking on the link again to try and recreate the effect but it didn't work. However, when I opened the main Facebook page and typed the first letter of my friend's name, the browser had somehow remembered her username and password and allowed me to log into her account at will.

As my friend works in the same building as me, the first thing I did was ask if she has ever used my computer but she said she had not.

She was, however, shocked and concerned that I could change her status message and potentially manipulate her information -- simply by leaving me a message.

My computer is a month old HP Compaq desktop running Windows XP with all the latest patches. The incident I described happened while using Firefox when I was not logged into the Facebook site. I tried to recreate it in IE7 but could not.

As Facebook doesn't list a contact phone number, I haven't been able to get in touch with them yet. However, I will be sending them a copy of this blog as soon as it is published -- in the hope of finding out what is going on.

Has anyone experienced something similar? Anyone know what is going on?

Topics: Security, Social Enterprise

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • About Facebook hack

    I use Facebook, and the same set up of FF2 and XP as yourself, and no, haven't experienced that. yikes, that IS scary stuff.

  • Facebook Security Prob

    I would suggest that maybe the problem is due to you to logging in from the same IP address, perhaps

    Also, Are you sure she has never logged onto facebook from your PC?
  • Facebook security issues

    I seem to remember Facebook did have a host of security problems early from things like feeds displaying personal information publicly to poor account security. Most of them seem to be fixed over time and this is a new scary one.

    It is suggested that Facebook might be seeing the same IP (Possible if you are behind a router using NAT) but most authentication is done using cookies if login persists.

    I would check into this further by replicating again and accessing the message from a different domain.
  • Reposted Photos

    Perhaps the "Wrote on your Wall" weakness is not Facebook's only concern.
    Recently I posted some older family photos to my site. I restricted access until I had spoken to all of the participants of the photos to ensure that they were agreeable to the photos being public.
    Within days, 58 photos from my "security enabled as restricted" albums were posted on another Facebook site without my permission.
    I reported the photos, have since put everyone on a restricted list with no access to the photos, and have not heard back, word one, from Facebook.
    I find their lack of communication very disturbing, especially since when you report a photo, they indicate that they will be back in touch within 48 hours.
    Perhaps they have nothing to say, because they are aware of the weakness and security breach.
    Perhaps this is why Facebook is number four... not number one... I don't believe it to be a safe forum at this point, but definately it can be a great source of "mining" for your own collection if you don't mind violating and disrespecting the rights of other Facebook users.
  • They want your email password!!!!!!!!!

    Why on earth would I join a site which wants the password to my email account !!!
  • They want your email password!!!!!!!!!

    I just visited FB for the first time - I came to tyhe point in registration where they asked for my email password.....wait..what? I thought I read it wrong, but yeah - those five words couldn't be screamed loud enough: "THEY WANT YOUR EMAIL PASSWORD!" As far as I'm concerned, if you give it to them, you are indeed an idiot, and will probably get exactly what you deserve.
  • It's a NEW password NOT your email password

    To those concerned providing an email address and accompanying password - drop the paranoia for a second... this is coming from a current Facebook user.
    While it's not made very clear on the site FB is asking you to create & submit a brand new password which when entered along with your email address will allow you access to your profile on the site. You are creating a FB login. It should say create FB password but it doesn't. They are not asking for your yahoo / hotmail / google / lotus / outlook etc password, the site wouldn't have made it off the ground if that was the case.
    If you happen to use your actual existing email account password you are just being silly, sorry to say.
  • It IS your Email password

    I have several friends who joined facebook and were not asked this. It seems to be a new thing. I created a username and password different to my email and that allowed me in but I couldn't enlarge the photos from tiny thumbnails because i backed out at the point of "enter your Email password". so i decided to just make up another password. It told me that my email pasword is incorrect and went on to detail that this is not my facebook password that they require. They need my Email password to continue. It won't go any further unless I put in my email password. Perhaps it's because I have a Gmail account that it asks this????
  • Email Password story - why they want it

    From a netscape.com article:

    Facebook wants your email password

    Gadgets & Tech – A recently added feature on popular social networking site Facebook asks users to provide their email address and email passwords. With your email account information in hand, Facebook will then log in as you and automatically extract your address book, which will allow them to tell you if your friends have facebook accounts. Will many users part?
  • facebook hack

    I am not sure what happened to my account ,I came home tried to log onto facebook and there were a bunch of number in my account where my name should have been,I don't know if they got in or not but,that worries me alot, it was jsut plain wierd...
  • hacked?

    well for starters i cant even put up my email at the bottem of this field b/c my gmail account and face book have apperently been hacked or phised, in which case the last thing i remember doing on facebook was replying to a letter i had in my inbox which had alot of peoples replys on it so i figured i would write back to this annoying creep the same way everyone else did. so now i am stuck here waiting 5 days to do a gmail password recovery to which it will ask my secret question. face book has sent an email of my password to my email, they are both the same password so now i have a big problem on my hands b/c i have private data like paypal that get sent to my account. why the 5 days????!!! very stupid if you ask me. oh and screw facebook
  • E-Mail Password

    I have been using the the internet since the beginning, even before in the days of BBS boards, I have worked technical support for more then 2 dozen ISP's.....In all my years of helping people I have never seen anyone ask for your email password as a part of the sign up process! This is Wrong!


    No legitimate site or service no matter how large has the right to this information, how would you feel if myspace or god forbid Microsoft corp required your email password? would you honestly give it? Trust nobody with your passwords, they are yours and everything done using your email is your responsibility and a court of law won't buy that it was someone else.
    • MS do want your e-mail password - have you ever used Hotmail or Passport?

      MS passport used to bug me - have to hand over a lot of personal details to use their (at the time) crappy online services.
      Richard Powell

    Facebook stinks! Plain and simple!
  • Facebook

    Is a secure meeting place for terrorists and was set up on those grounds.They dont make money cos its free the ads are bullshit..With government agencies denied acces to user profiles due to the international nature they have no juristrctionAnd for instance sadam hussein could be "John"Better than using tapped telephone lines.Why would ordinary citizens worry about folks reading their messages if they said things like"hey!"
  • Continues

    or what u doin today?if there was a creep tryin to access your profile u can block him/her entirely anyway.So when privacy becomes a national security risk -lets meat in the car park and sell drugs is the same as im going to the club tonight.Y care till1day ur office explodes?!
  • Privacy Issues.

    The main available avenue for resolving non application specific privacy/security breaches or querying privacy/security issues are the email address listed in the privacy policy privacy(@)facebook.com or start a ticket at http://www.truste.org/consumers/watchdog_complaint.php
    Considering the seriousness if this breach, I would suggest doing both.
    It could be hard to ascertain who was at fault here, it could be a third party application in the middle or it could be one of Facebook's apps. Or worse case scenario, you may have discovered a new vulnerability....if only you could repeat it. My thinking is that I could be a session cookie error or something similar but who knows?
    All of this aside, I have found that the status updates have a lot of troubles. Almost once a week when I get the FBML included in my update.
    For example:
    {"status":"is pulling dust bunnies out of people's computers.","markup":"is pulling dust bunnies out of people's computers."}
    This is the slimmed down version, there are usually timestamps and some other tags in there as well.
    Please keep us informed on the outcome and thanks for the heads up.
  • Facebook

    I have been using facebook since November 07 and have never been asked for my e-mail password, only asked for me to create a password for my Facebook account, and then use that password whenever I log in. And what are you all worried about anyway, isn't that why you put stuff on there so people can see it, you want it private, e-mail your mates direct!!
  • misundertsnding

    I've been using Facebook for only 2-3 weeks so my experience should be fairly current. To open an account I was asked to create a password (not give my email password). the only time I was asked for my email password was when I pursued the option to have them "find" my friends, in other words check and see if any of the peeps in my address book are already on Facebook. Sorry to inform you, but even good ol' yahoo recently asked me for the same info for the same reason. This is why in BOTH cases I bailed on the process and decided to find my friends the old fashioned enter & search way. More time intensive but preferable to giving anyone my password - even "good ol' yahoo!" Please don't confuse this optional step with a requirement for registering with Facebook.
  • Email password is optional and for locating friends

    Facebook has a feature where if you have webmail you can provide your account info - which they claim they do not store after using it once - and they will download you addressbook and show you anyone in it who is already on facebook so you can mark them as friends.

    I agree, you are stupid if you do it; however, it's totally optional.