Three Facebook users, Hasin Hayder, Rifat Nabi, and Abu Ashraf Masnun, have discovered a security hole in the social network that could lead to a potentially big privacy problem. The “post-by-email” feature in Facebook Groups reportedly lets an attacker post photos or plain text posts as anyone that is a member of a given group. There are a few requirements, however, if I wanted to spoof you: I would need a local SMTP server (or a server side script) and I would need to know the email address connected to your Facebook account.
Here is how it works. The attacker just has to compose a new email, change the “From:” field in the mail header and replace it with the victim’s email address, and then send the email to the group email address. The exploit works because Facebook does not employ a verification system to check who the email is coming from (according to the trio); the service simply believes the victim is sending the email and posts it as that Facebook user to the group’s Wall on the victim’s behalf. I find that unlikely, but it worked for them.
Hayder explains how Facebook can fix the issue, which he calls a “massive security flaw.” He says Facebook should turn off the “Post by Email” feature immediately and then offers two possible solutions:
- By enabling verification of a security token: Facebook may give you one security-token which will be known by you and YOU ONLY, and you will have to include it somewhere in the mail (body/subject) while using this “POST BY EMAIL” feature. Once they verify it as you, they will allow that post to go to the group wall.
- By verifying origin of the mail: Once you use this “POST BY EMAIL” feature, Facebook may send you a confirmation/verification link to your email address which must click on to verify the authenticity of your content.
While the trio disclosed this flaw responsibly to Facebook, the company has not had much time to react. Hayder penned his post just 14 hours after sending the company information and when he got an automatic response saying the company may not have time to look and respond to every report they receive, he posted the issue publicly in the hopes that Facebook will fix it as soon as possible.
It’s worth noting that this does not affect every Facebook Group. Administrators of groups first have to set up the group email feature. Furthermore, I would assume that secret groups that cannot be seen publicly would not be affected, unless of course the attacker is also part of that group and wants to target other members.
I have contacted Facebook about this issue. I will update you if and when I hear back.
Update at 3:00PM EST: The blog post has been pulled. Meanwhile, Facebook has told me it is looking into the issue.
Update at 3:25PM EST: Facebook says that it does look out for this flaw, but that ultimately it’s not the company’s fault. Here’s what a Facebook spokesperson told The Next Web:
Facebook Group email updates, similar to all emails received over SMTP, do not provide authentication for the sender address. This is a known vulnerability of the SMTP system, but Facebook will seek to display a warning whenever the sender can not be authenticated. To help ensure a secure environment, our system rejects most unauthenticated email to groups, but there are still a few cases that we accept the message and warn the user due to a high rate of false positives and limited adoption of authentication standards. We’re working with the industry to develop better standards and practices to close those remaining holes. We remind all of our users to be careful whenever they receive a message from an unrecognized or unauthenticated source.
It looks like Hayder, Nabi, and Ashraf got lucky and found one of the “few cases” that Facebook allows.
Image credit: stock.xchng