I don't consider this a Facebook security flaw. The person with the Facebook account added your email address to their profile.
It's tantamount to them giving you a copy of their house key, you using it to get into the house, and then stating that there is a security flaw in the door.
I think looking at it as i tried to outline in the post that Facebook should really only send out messages to confirmed email addresses. If this was the case it would effectively stop the problem and not allow bypassing the security questions
What happens if someone gets access to your email though? For example, a silly person might forget to logout of their email when using a public computer. If I notice this, I can just hijack their Facebook account.
You're kidding right? If you get access to somebody's email account then all bets are off. You could take over somebody's HackerNews account exactly the same way. You could take over accounts on most websites this way...
9 comments
[ 2.9 ms ] story [ 27.7 ms ] threadInteresting story though, and one more thing that would make me concerned about having a FB account.
It's tantamount to them giving you a copy of their house key, you using it to get into the house, and then stating that there is a security flaw in the door.