Facebook turns off login-by-email feature after links found online

Facebook turns off login-by-email feature after links found online

Summary: The social network has temporarily turned off a feature that let people log into their accounts simply by clicking a link in an email, after some emails containing such links were found online.

TOPICS: Security

Facebook has turned off a feature that let people log into their accounts simply by clicking on a link in emails sent to them by the social network, after many such links were found on the web.

The issue was reported late last week through a post on Hacker News. It affected links in Facebook emails of the 'X wants to be friends' variety. These links are designed to be clicked once by the account holder, but many of those found online were unclicked and able to allow an outsider access to the relevant Facebook account.

Even with links that were no longer valid, the string in the link would show the user's email address.

In a reply to the original post, Facebook security engineer Matt Jones said it would be unusual for such links to get posted online, but the veracity of those people had found on the web had led Facebook to turn the feature off "until we can better ensure its security for users whose email contents are publicly visible".

"For a search engine to come across these links, the content of the emails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out — or people whose email addresses go to email lists with online archives)," Jones wrote.

Jones added that the links expire after a period of time if they remain unclicked. "They also only work for certain users, and even then we run additional security checks to make sure it looks like the account owner who's logging in," he added.

The engineer also pointed out that those finding flaws in Facebook's security should disclose them responsibly through its white hat hacker program, so that "in addition to making some money, you can avoid a bunch of script kiddies exploiting whatever the issue is that you've found".

Topic: Security

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Google software privacy issue?

    The key question is, how did these private URLs get into Google search?

    It is reasonable to ask whether these private URLs got into Google via Google software such as Chrome, Toolbar, etc. I did raise this in a discussion with an Information Security Manager at Google, who seemed to dodge the issue:


    Apart from his tone becoming patronising and rude, it's notable that he repeatedly failed to address this question and tried to deflect the conversation on to other topics e.g. by quoting my concerns out of context.
    Tim Acheson
  • Gmail to blame?

    "The e-mails could be discovered through a simple Google search query"

    Could Gmail be responsible? An extremely important question remains unanswered:

    How did these private URLs from private emails get into Google's index?

    Google admits that its software processes the content of private Gmail emails -- in order to detect the context for the adverts which displayed on Gmail. It is clear from the published examples including the one above that the affected users are Gmail users! Could this, as well as the Chrome browser and Google Toolbar, be a route by which data can enter Google's search index?
    Tim Acheson