Tell HN: Forwarded Facebook emails automatically login as recipient
When I clicked on the event, I was logged into Facebook as my friend.
Full privileges. I could have done anything. I logged out, called her immediately and explained that a) she shouldn't send anyone transactional emails from Facebook and b) that in my opinion, she hadn't done anything wrong.
This is an outrageous security violation, as well as a violation of the principle of least surprise. It seems completely reasonable to me that someone would forward an event invitation to other people. I see this kind of thing with older folks, in particular. The obvious concern, here, is that someone could (not should) forward that email to a much larger group of people.
In an era where people are unfortunately reliant on Facebook for their identity management, social connections and even professional networking, the idea of losing access to your Facebook profile to an unknown actor is terrifying. I don't understand how this ever made it past QA.
If you work at Facebook, fix this right now.
35 comments
[ 3.1 ms ] story [ 81.3 ms ] thread[If we're pretending HN is an FB security-issue reporting-system, I'll pretend I'm an inattentive FB engineer!]
Proof: https://imgur.com/a/AgTVgZK
My browser has a Facebook user logged in. However, this user is a dev account that has zero friends. This shouldn't, IMHO, change anything.
Is this an app "test user" account you are logged into? Has the user in question authorized the app you are developing?
I point this out not only because this kind of blast looks bad (even among full-disclosure circles), but because if it's a valid find, you just passed up potentially a five figure sum.
However, I have been inspired by Troy Hunt's recent posts. It's clear that action follows illumination.
Question, was this a "someone invited you" email with a join button? Was it an RSVP reminder of an event? A confirmed email? Subject line would be useful.
Body starts with:
{my friends' friend} invited you to {page}'s event
There's no Join button, but there is a set of Going / Interested / Not Interested buttons in the standard Facebook styling. It's a calendar invitation.
For example:
"peteforde, in the future please do the following instead of posting on HN:
- Google "how to report security issues to <whatever company>"
- In this case, you will be directed to facebook.com/whitehat
- You should try to reproduce this independently first, after reading the best practices for doing so at the URL above.
And, there may be a five-figure sum for you if you indeed find a vulnerability, and report it as above."
I'm leaving my initial post unedited not only for context but because I feel it conveys a certain gravity as to the discoverability of the best practice that was missed here. I'm generally a fan of the feedback pattern you described... but not always. Egregious impermissible disclosures of any sort--security, PHI/PCI/PII/FERPA, etc. all fall in the "not always" bucket for me.
You make the same flawed assumption many people (including the folks over at FB) make, that your email is private and that once it's breached it's game over anyway.
The reason we came across this issue a while ago (see below) is that an elderly family member was forwarding emails when people had invited this person to an event. This family member knows better than to forward emails regarding password resets and account details. They really didn't do anything wrong. They just unbeknownst to them shared full account access to 50 other people.
Nowhere in this email does it say 'dont forward' and the expectation of anyone to click at one of those email links would be to be prompted credentials when they are not currently logged in as that person. Now, no matter on what device you are, it seems you can with one click be granted access to the entire account based on that link alone.
It's not even a one time use token, it's a all free pass.
Social engineering wise it's so simple: "Hey buddy, that party tonight, do you still have the invite email? I forgot and I'm on my way to work now." - done.
--
Yes. If you pay any attention to how users actually behave, this scenario is very obvious -- not just obvious, but observed, regularly.
"You're not doing it right" is not an excuse -- in any measure -- in a scenario such as this.
People forward emails. All the time. That often includes stuff they didn't intend to. Much less links they have no idea will provide the recipient access to their account.
Reminder [sorry if this is a bit stereotypical]:
Sewing circle Saturday at 2.
"I should send this to Sue and Pam, so they don't forget this month."
Or,
Notice: Book club next Friday instead of this.
"I'd better let Steve know. He never checks his schedule until the last moment, if then."
At one point, I had to check BigCo's email flows and behaviors. I sure as heck checked for things like this.
P.S. I guess I'll mention that one time, I caught a Google Docs non-email-related "lingering access" vulnerability. Google was going to close it as a non-issue or won't fix, until I pointed out its impact on their government Docs deployments and that I knew who to talk to on the government side. Then, it got fixed.
I hope we're not going further down the "some people matter more than others" hole. We already have help triage by social media prominence.
In that vein, maybe all that's left is to zero-day them (BigTechCo, in general), until they pro-actively improve their internal processes as well as external responsiveness.
I wish I had a dime for every HN karma point, but when I suddenly had full access to my friends' FB account there's little room for other explanations. I was her: open and shut case.
https://imgur.com/a/AgTVgZK
Note the "Not you?" bit. This bug has a UI.
Oath2 shouldn't aloow this. Also you say you're logged in as a Dev acct. Dev accts are sandboxed to the dev app ID.
Could you use Loom to show a video of this big?
I did post a partial screencap elsewhere in the thread. I'm not comfortable creating a video but I would be happy to provide further details to FB security folks.
For what it's worth, part of the reason I posted to HN was that it's clear to me that this is intended functionality. Bugs don't usually say "welcome back".
I believe that the risk associated with this feature dramatically outweighs the upside.
I actually reported this very issue to FB over two weeks ago and at first they denied this being an issue, it's a feature instead. After pushing a little I had them admit that this is actually a real security leak, however they argued that I was _not_ the first one to find and report this. That means no six figure bounty. They have since closed the ticket with what's basically a: will fix in the future.
After some discussion I found the following:
- Facebook at the very core assumes you don't forward your emails, the security staff I talked to didn't seem to understand this is a very basic flawed assumption.
- It's by no means a one time use token, you can keep using it over and over again. I don't understand why, they could've just used a single use token if anything.
- It's bound by some kind of security mechanism, and from my PoC I found it to be simply your IP. I suspect your friend has logged onto or simply used Facebook from your IP address.
- The emails don't indicate the button you are about to press actually contains private information. This is bad UX. If people were told that the emails should be kept private and not shared (not the case) then this could be different.
This _seems_ to be a feature that they built so people can log in, even if they have forgotten their passwords, in order to keep user engagements high.
It also opens up a can of worms. For example, if you break up with a partner and you still have an ancient forwarded email, you can now simply log in as them and have full control over their account. I suspect there's also little protection for public WiFi that shares the same IP, such as coffee places, cafes/bars or public transport hubs. If you see anyone there that has ever forwarded you an email, you now own their account ;).
But remember folks, that's not a bug. It's a feature!
Edit: At this point I actually don't believe this is new for FB. For me this is proof that business overtook good engineering and that there's simply a box checked with 'accepted risk'. There is either no actual previous report or people have been reporting this for a long time, but there seems to be no willingness to fix this.
To me it seemed to be hugely connected to last weeks '50 mil account token' leak but this is separate, accounts that I tested my PoC on can still be accessed and it's telling that even after last weeks PR nightmare this 'feature' is still online.
1. I'm perversely relieved that I did not throw away the magical 5-figure sum.
2. I can guarantee that my friend has never been to this house, so while there could be a security metric (which I can't think of) it's not the IP.
3. The fact that this is seen as an engagement feature and not a security loophole is disturbing even if there aren't a list of other scandals.
4. I no longer regret posting here. I'm pretty much the opposite of an attention seeker, but I hope that this discussion puts a bit more fire under their collective ass.