Nov. 2, 2012 at 2:56 PM ET
A security hole on Facebook that let virtually anyone get into some individuals' Facebook accounts without a password was discovered by a hacker, but the social network says that vulnerability is now fixed.
While the security hole wasn't the kind of thing most of us would tap into easily, a well-meaning hacker, who goes by the name, "nico-roddz," shared the information on The Hacker News site.
"Nico-roddz" — who is Nico Roddz, an online marketing analyst based in Argentina — explained that a friend forwarded him an email from a Facebook group notification. When he clicked on the URL, "I got automatically logged into my friend's account," he said on Hacker News. In some cases, no password was needed. Roddz contends more than 1 million Facebook user accounts were at risk.
It was "definitely a Facebook security issue," he wrote.
Facebook, contacted by NBC News, said in a statement that the URLs, or links, that were vulnerable "were sent directly to private email addresses to help people easily access their accounts, and we never made them publicly available or crawlable."
The links were "subsequently posted elsewhere online, which led to their indexing in search engines."
While Facebook has "always had protections on these private links to provide an additional layer of security, we have since disabled their functionality completely and are remediating the accounts of anyone who recently used this feature."
Facebook engineer Matt Jones, who works on the site's security team, pretty much said the same thing on the Hacker News site, adding:
In the future if you run into something that looks like a security problem with Facebook, feel free to disclose it responsibly through our White Hat program: https://www.facebook.com/whitehat. That way, in addition to making some money, you can avoid a bunch of script kiddies exploiting whatever the issue is that you've found.
— Via The Next Web