F-Secure has suggested that Facebook’s new reply-by-email feature may be exploitable. The press release explains that malicious users can respond to any thread on Facebook as long as they have the proper thread email address. The full explanation is this as follows.
When there is a posted item or status update available on Facebook, and a user leaves a comment, a thread begins. All the users on the comment thread receive email updates of the latest activity on the thread. Facebook recently enabled users to respond to this thread directly from their email, just by replying to the email notification.
The problem is, that email notification address is accessible by anyone. Meaning that if someone were to find that email somehow, they could respond on this thread, regardless of whether they’re your Facebook friend. Unfortunately for Facebook, it’s relatively difficult to control this security vulnerability. As Jacob Friedman points out:
While Facebook scammers still spam comments from accounts that get passwords stolen or phished, this type of hack is much more difficult for Facebook to control. Where Facebook could simply lock compromised accounts out until their owners change their passwords, it’s much more difficult for Facebook to fix compromised email accounts. It would be difficult for Facebook to work with email providers, especially smaller ones, to get compromised account holders to change their passwords. Facebook’s only recourse might be to delete the accounts of users with compromised email accounts.
So yes, there’s very little you can do to protect yourself against this problem aside from using good email security practices. Awareness, however, is the best form of protection! As a side note, this feature has been long requested and was certainly welcome from me, with my many, many status update comments posted to my profile (/sarcasm).
I can only think of one way to protect your e-mail. Speaking for just myself i would appreciate any suggestion’s you would have on that otherwise.
Couldn’t the Facebook dev team make it so that it checks to see what email address the email-delivered comment reply is coming from, and then with that information, match to see if this email address is associated with a person that is friends with the user they’re replying to? *takes a breath* I know that would require a lot of overhead but I don’t know how else to get around this.
Pamela: I think you should make sure to keep your email password secure for now. If people aren’t getting in, you’re OK.
Daryn: I think that’s a good answer, and I imagine they will totally implement that solution.
I think it’s practical in a way but imagine how many people are using this new feature daily. The amount of overhead on the server for this would be huge. I’m sure someone would find a way to circumvent it too, because there are ways to spoof email addresses as well. Their method of authentication would have to be able to dig deeper, thus adding more overhead to an already heavy amount of server work.
Thanks for the write up, how about a follow up for those of us that read this 10 years too late. You never cease to amaze me!
Thanks for the write up, how about a follow up for those of us that read this 10 years too late. You never cease to amaze me!