Tell HN: Forwarded Facebook emails automatically login as recipient

65 points by peteforde ↗ HN
I'm rarely speechless, but my best friend - who is not a developer but tech-savvy - just forwarded an email invite to an event that she wants me to come to with her. The email was a standard transactional Facebook event notification.

When I clicked on the event, I was logged into Facebook as my friend.

Full privileges. I could have done anything. I logged out, called her immediately and explained that a) she shouldn't send anyone transactional emails from Facebook and b) that in my opinion, she hadn't done anything wrong.

This is an outrageous security violation, as well as a violation of the principle of least surprise. It seems completely reasonable to me that someone would forward an event invitation to other people. I see this kind of thing with older folks, in particular. The obvious concern, here, is that someone could (not should) forward that email to a much larger group of people.

In an era where people are unfortunately reliant on Facebook for their identity management, social connections and even professional networking, the idea of losing access to your Facebook profile to an unknown actor is terrifying. I don't understand how this ever made it past QA.

If you work at Facebook, fix this right now.

35 comments

[ 3.1 ms ] story [ 81.3 ms ] thread
You sure your friend hadn't previously logged in to her FB on whatever browser your email happened to open things to?
Yes. She's never been on or near this machine. I have no idea of her credentials, and nor would I want to.
Can't reproduce. #WONTFIX. Closing.

[If we're pretending HN is an FB security-issue reporting-system, I'll pretend I'm an inattentive FB engineer!]

I was just able to login again, using the same email link.

Proof: https://imgur.com/a/AgTVgZK

under an incognito tab?
No, Incognito forces a login.

My browser has a Facebook user logged in. However, this user is a dev account that has zero friends. This shouldn't, IMHO, change anything.

^ this right here is critical. Dev accounts tend to be more open to specific features .....
followup question :

Is this an app "test user" account you are logged into? Has the user in question authorized the app you are developing?

My friend is not a test user, and my dev user is literally just for doing QA on social graph tags for an otherwise unrelated project. My friend hasn't seen my project or interacted with this dev account in any way.
Any particular reason you didn't report this through facebook.com/whitehat after googling how to report security issues to facebook? Or attempt to reproduce it independently after reading instructions for best practices when doing so on the aforementioned page? I can only assume it's because these patterns and facilities weren't within your awareness at the time, which is fine, but ideally you may consider these both in the future.

I point this out not only because this kind of blast looks bad (even among full-disclosure circles), but because if it's a valid find, you just passed up potentially a five figure sum.

Correct, and thank you. It's not my usual MO, but this strikes me as alarming. I will file a report over there as well.

However, I have been inspired by Troy Hunt's recent posts. It's clear that action follows illumination.

I passed this to their oncall sec

Question, was this a "someone invited you" email with a join button? Was it an RSVP reminder of an event? A confirmed email? Subject line would be useful.

From: Facebook <notification@facebookmail.com> Subject: Event Invitation {string}

Body starts with:

{my friends' friend} invited you to {page}'s event

There's no Join button, but there is a set of Going / Interested / Not Interested buttons in the standard Facebook styling. It's a calendar invitation.

I can't speak for him. I can only speak for myself, and I'd think twice and at least attempt to reproduce it independently and submit it to Facebook and wait to hear back that they won't fix it and try to understand why they won't fix it all before deciding to post this kind of find to the wild.
I will kindly suggest that in the future, instead of phrasing advice in the form of "Any particular reason you didn't do the thing which to me is obviously the only smart thing to do?", you could give feedback more prescriptively and without any implied accusations.

For example:

"peteforde, in the future please do the following instead of posting on HN:

- Google "how to report security issues to <whatever company>"

- In this case, you will be directed to facebook.com/whitehat

- You should try to reproduce this independently first, after reading the best practices for doing so at the URL above.

And, there may be a five-figure sum for you if you indeed find a vulnerability, and report it as above."

Your guidance has been noted and is appreciated.

I'm leaving my initial post unedited not only for context but because I feel it conveys a certain gravity as to the discoverability of the best practice that was missed here. I'm generally a fan of the feedback pattern you described... but not always. Egregious impermissible disclosures of any sort--security, PHI/PCI/PII/FERPA, etc. all fall in the "not always" bucket for me.

To me the wording, "Any particular reason you didn't do x?" wasn't an implied accusation. In fact it was the opposite. It was assumed that the original poster had taken all measures and had a good reason why they didn't take the action. It is similar to saying, "Have you considered...?" It is a less combative way to say, "You should have done x," which does implied that the original poster did something wrong.
It's a hostile way to talk to someone who's doing something nice
This is not a security breech or bug, it is the intentional design of Facebook. It is like complaining that if you give away your password, someone can login as you, thus Facebook ought to iasue two factor auth dongles. That is not the sort of thing to forward to facebooks abuse department. It requires a policy change for a different authentication method, and that is something that can be freely and publically discussed.
It actually is a huge risk.

You make the same flawed assumption many people (including the folks over at FB) make, that your email is private and that once it's breached it's game over anyway.

The reason we came across this issue a while ago (see below) is that an elderly family member was forwarding emails when people had invited this person to an event. This family member knows better than to forward emails regarding password resets and account details. They really didn't do anything wrong. They just unbeknownst to them shared full account access to 50 other people.

Nowhere in this email does it say 'dont forward' and the expectation of anyone to click at one of those email links would be to be prompted credentials when they are not currently logged in as that person. Now, no matter on what device you are, it seems you can with one click be granted access to the entire account based on that link alone.

It's not even a one time use token, it's a all free pass.

Social engineering wise it's so simple: "Hey buddy, that party tonight, do you still have the invite email? I forgot and I'm on my way to work now." - done.

Prefix: I haven't confirmed yet that the OP error report is legitimate/accurate. Haven't been on FB in a while.

--

Yes. If you pay any attention to how users actually behave, this scenario is very obvious -- not just obvious, but observed, regularly.

"You're not doing it right" is not an excuse -- in any measure -- in a scenario such as this.

People forward emails. All the time. That often includes stuff they didn't intend to. Much less links they have no idea will provide the recipient access to their account.

Reminder [sorry if this is a bit stereotypical]:

Sewing circle Saturday at 2.

"I should send this to Sue and Pam, so they don't forget this month."

Or,

Notice: Book club next Friday instead of this.

"I'd better let Steve know. He never checks his schedule until the last moment, if then."

At one point, I had to check BigCo's email flows and behaviors. I sure as heck checked for things like this.

P.S. I guess I'll mention that one time, I caught a Google Docs non-email-related "lingering access" vulnerability. Google was going to close it as a non-issue or won't fix, until I pointed out its impact on their government Docs deployments and that I knew who to talk to on the government side. Then, it got fixed.

I hope we're not going further down the "some people matter more than others" hole. We already have help triage by social media prominence.

In that vein, maybe all that's left is to zero-day them (BigTechCo, in general), until they pro-actively improve their internal processes as well as external responsiveness.

Not sure what to tell you... it's been corroborated by several people in this thread and apparently, FB considers this a feature.

I wish I had a dime for every HN karma point, but when I suddenly had full access to my friends' FB account there's little room for other explanations. I was her: open and shut case.

https://imgur.com/a/AgTVgZK

Note the "Not you?" bit. This bug has a UI.

This is Facebook. Public shame is the only way to reliably get them to change policy even slightly on something they have already made a decision about.
Could you provide more info

Oath2 shouldn't aloow this. Also you say you're logged in as a Dev acct. Dev accts are sandboxed to the dev app ID.

Could you use Loom to show a video of this big?

For clarification, it's not a Facebook developer account. This is just a dummy account I've been using to verify the social graph headers are working when I post pages from an unrelated project. It's technically against FB policy to have an account that isn't a real person. This dummy user has no friends; my human friend has not interacted with it in any way.

I did post a partial screencap elsewhere in the thread. I'm not comfortable creating a video but I would be happy to provide further details to FB security folks.

For what it's worth, part of the reason I posted to HN was that it's clear to me that this is intended functionality. Bugs don't usually say "welcome back".

I believe that the risk associated with this feature dramatically outweighs the upside.

This is great! Now every app that allows their users to sign in using their Google account, and asked for blanket "let's read all your email" permissions, can simply trawl through that data trove for this same email notification from Facebook, and have access to that user's account.
For what it's worth:

I actually reported this very issue to FB over two weeks ago and at first they denied this being an issue, it's a feature instead. After pushing a little I had them admit that this is actually a real security leak, however they argued that I was _not_ the first one to find and report this. That means no six figure bounty. They have since closed the ticket with what's basically a: will fix in the future.

After some discussion I found the following:

- Facebook at the very core assumes you don't forward your emails, the security staff I talked to didn't seem to understand this is a very basic flawed assumption.

- It's by no means a one time use token, you can keep using it over and over again. I don't understand why, they could've just used a single use token if anything.

- It's bound by some kind of security mechanism, and from my PoC I found it to be simply your IP. I suspect your friend has logged onto or simply used Facebook from your IP address.

- The emails don't indicate the button you are about to press actually contains private information. This is bad UX. If people were told that the emails should be kept private and not shared (not the case) then this could be different.

This _seems_ to be a feature that they built so people can log in, even if they have forgotten their passwords, in order to keep user engagements high.

It also opens up a can of worms. For example, if you break up with a partner and you still have an ancient forwarded email, you can now simply log in as them and have full control over their account. I suspect there's also little protection for public WiFi that shares the same IP, such as coffee places, cafes/bars or public transport hubs. If you see anyone there that has ever forwarded you an email, you now own their account ;).

But remember folks, that's not a bug. It's a feature!

Edit: At this point I actually don't believe this is new for FB. For me this is proof that business overtook good engineering and that there's simply a box checked with 'accepted risk'. There is either no actual previous report or people have been reporting this for a long time, but there seems to be no willingness to fix this.

To me it seemed to be hugely connected to last weeks '50 mil account token' leak but this is separate, accounts that I tested my PoC on can still be accessed and it's telling that even after last weeks PR nightmare this 'feature' is still online.

Thank you so much for your reply.

1. I'm perversely relieved that I did not throw away the magical 5-figure sum.

2. I can guarantee that my friend has never been to this house, so while there could be a security metric (which I can't think of) it's not the IP.

3. The fact that this is seen as an engagement feature and not a security loophole is disturbing even if there aren't a list of other scandals.

4. I no longer regret posting here. I'm pretty much the opposite of an attention seeker, but I hope that this discussion puts a bit more fire under their collective ass.

Do the links ever expire? Or, if i get access to a single Facebook email belonging to someone, I can access their account for life, regardless of whether years have passed, and they changed their password?
The links that I have tried do not expire. I can't tell you how long they will last.
Of course, the optimal way to respond to this is a contradiction: Raise a big stink, but secretly. This is not easy. I think the history of the "Tempest" security bug should be re-read every few years.
Unrelated to FB, but one of the things that popular email clients (Gmail, Hotmail, Yahoo, etc.) could be doing is a "forward without links" feature (or even "forward without links with credentials" by detecting for query params in links and only excluding those), where it'd be enabled when forwarding an email (you can manually disable it if you know what you're doing).
I've never understood why any company emails magic log-in links in anything except a password reset (which should immediately prompt for a new password and send the user a notice that their password has been changed)