Google Search Exposes over 1 Million Facebook Accounts

A Hacker News member noticed that by performing a Google search for “inurl:bcode=[*]+n_m=[*] site:facebook.com,” links to the accounts of around 1.3 million Facebook users would show up. Some of the links could be utilized to gain access to the accounts in question without the need for a password.

The temporary links generated by Facebook expired as soon as you clicked on them and since many of them were already clicked at the time when the “hack technique” was identified, the accounts could not be accessed without the password.

However, the links could still be utilized to see the account holder’s email address.

“nico-roddz” of Hacker News, the one who identified the issue, claims that he noticed the bug after a friend of his sent him a link.

“A friend forward me an email from a FB group notification. Something like: http://www.facebook.com/n/?groups% [id here]/permalink %[id here]/&mid=[id here]&bcode= [id here]-mjoi&n_m=[email adress here]. When I clicked the url I got automatically logged into my friend's account. So is definitely a Facebook security issue,” he explained.

Fortunately, Matt Jones of the Facebook Security Team noticed the Hacker News thread and quickly intervened.

“We only send these URLs to the email address of the account owner for their ease of use and never make them publicly available. Even then we put protection in place to reduce the likelihood that anyone else could click through to the account,” he said.

“For a search engine to come across these links, the content of the emails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out - or people whose email addresses go to email lists with online archives).”

Jones explained that the links in question expired after a certain period. Furthermore, there are additional security checks set in place in order to avoid abuse.

However, since those additional checks are clearly flawed, Facebook decided to turn off the feature until the issue was properly addressed. The accounts of those who “recently logged in through this flow” have also been secured.