While the new Facebook “reply to this email to comment” feature is certainly handy, it appears that the feature has inadvertently exposed a security hole in the Facebook comments system.
F-Secure detailed the security hole in a press release today, explaining that if a commenter’s email account is phished or hacked, it’s quite easy to spoof that user and reply to comments. When a commenter receives an email, it’s very easy to simply copy the “reply to” field and paste it into any email. As long as the subject line contains “Re:” the system will accept the comment and post it in the comments field.
Does this mark the rise of (more) spam comments?
While Facebook scammers still spam comments from accounts that get passwords stolen or phished, this type of hack is much more difficult for Facebook to control. Where Facebook could simply lock compromised accounts out until their owners change their passwords, it’s much more difficult for Facebook to fix compromised email accounts. It would be difficult for Facebook to work with email providers, especially smaller ones, to get compromised account holders to change their passwords. Facebook’s only recourse might be to delete the accounts of users with compromised email accounts.
If you’re interested in trying this exploit for yourself, send an email to this address and your comments should show up here. If you can’t get it to work, remember to add “Re:” to the subject line.
If a commenter’s email account is phished or hacked, the hacker can simply reset the password and do everything with the account…
If a commenter’s email account is phished or hacked, the hacker can simply reset the password and do everything with the account…
I think the point here is the address (c+202is…@reply.facebook.com) is generated to be unguessable, similar to an api token, password token etc. If someone does end up guessing or obtaining the address, that would be similar to someone guessing or obtaining your password and logging into your account. In either case, it can only be as secure as people keep it. Its really outside the scope of Facebook to police if people choose to keep it secure. The user may even intend to give the address out to people in certain use cases. I can't see anything wrong with their approach here. ie – If I give you a secure (account), and you go hand it to 10 people, don't complain that 10 people are now (logging into) your (account).
The reply address is dynamically generated and is unique to each comment post. However, if any given facebook user's email address is phished, it presents a veritable treasure trove of potential comments to spam. I know that if someone managed to hack my email info, they could completely wreck my facebook, because I generally comment a lot. I know that a lot of other people do, too.
I hear where you are coming from. Its an unfortunate situation in any case. Emotions aside however, just looking at this from the facts:
The blame still has to be on the user for leaking the address. If it was hacked or phished the blame is still on the user. Unless gmail/yahoo was actually compromised somehow, its still the user's fault. If anyone gets their email account compromised, they probably have much bigger problems to worry about.
If I were to see someone's Facebook account begin to spam, I would just remove them (after all, its no longer really them). So spam is really a non-issue… just don't follow/friend spammers and you won't see it.
This isn't to say it doesn't suck that it happens to people. Just that there are pieces in place already to remedy it (don't be susceptible to attacks, unfriend, unfollow).
FUCK YOU FACEBOOK TEAM……DONT REPLY TO USERS EMAILS—FUCKING CHEATING WEBSITE