Facebook has addressed a security concern enabling anybody to access a number of accounts.
A member of Hacker News with the username nico-roddz, who describes himself as somebody who uses the Internet to help companies increase their revenue and visibility, highlighted the issue in a post earlier today, and later explained how he discovered it.
"This is how everything started: A friend forward me an email from a FB group notification. Something like: http://www.facebook.com/n/?groups%[id here]%2Fpermalink%[id here]%2F&mid=[id here]&bcode=[id here]-mjoi&n_m=[email adress here]," he wrote in his follow-up post. "When I clicked the url I got automatically logged into my friend's account. So is definitely a Facebook security issue. Then I tried some google searches to see if I could find some urls containing the parameters: bcode= &email= n_m= mid=."
The original message from nico-roddz contains a link that led to a Google search page, listing over 1.3 million Facebook accounts and their corresponding email addresses. When clicked, some of the links allowed accounts to be entered without a password.
Matt Jones, a software engineer at Facebook, commented on the message not long after it was posted, saying, "We only send these URLs to the email address of the account owner for their ease of use and never make them publicly available. Even then we put protection in place to reduce the likelihood that anyone else could click through to the account. For a search engine to come across these links, the content of the emails would need to have been posted online."
The URLs in question are usually meant to bring to light Facebook notifications and provide instant access to matching accounts. They can be clicked once before expiring, which explains why only a portion of the 1.3 million listed accounts were fully accessible.
Jones then confirmed that Facebook has secured the breached accounts and temporarily disabled the feature at fault, at least until users' safety can be ensured.
Jones concluded by thanking nico-roddz, but advised people who discover issues relation to Facebook in the future to disclose their findings through Facebook's White Hat programme.
Many of the breached accounts appear to be located in China or Russia.