Recently, I’ve come across some functionality on Facebook that seems… worrying to say the least.
On Facebook, if you sign up for text notifications, you will receive a text message when someone comments on your status, accepts your friend request, etc. In that SMS, there will be a link which directs you to the post with the following URL format: https://fb.com/l/<some-hash-here>.
Strangely, when you click this link you are automatically authenticated and logged in to your Facebook account. That’s right. It doesn’t ask you for a username or password, but just gives you access to the account. By simply clicking this link, you have gained full control of that account (which is obviously not good if the account is not yours). This means, if you share your text notification link with someone, they will have access to your Facebook account from a single click. Am I the only one that thinks this is absurd?
After reporting this issue to the Facebook security team, I received a response which included the following:
“The protection in this case is to not allow someone to access your device or never share private links with another user.”
They were able to confirm that this was intended functionality which made matters even worse. What exactly are ‘private links’ in this case? I’m always sharing links of videos on Facebook to my friends. Nowhere have I read that links shouldn’t be shared because it could potentially expose your Facebook account.
I’m sure many people have activated these mobile alerts on their Facebook accounts, so I’m posting this to raise awareness of this strange functionality.
If you are not convinced, please try this for yourself . Facebook lets you generate test users from your own account. Just generate two test accounts A and B, set up text message notifications on A and add A as a friend from B. You should receive a text with a link. Click the link from any platform and it should log you in as A (without requiring username/password).
Hacker Noon is how hackers start their afternoons. We’re a part of the @AMIfamily. We are now accepting submissions and happy to discuss advertising &sponsorship opportunities.
To learn more, read our about page, like/message us on Facebook, or simply, tweet/DM @HackerNoon.
If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!
Create your free account to unlock your custom reading experience.