This article was published on January 26, 2010

Facebook Email Reply Security Hole?

Facebook Email Reply Security Hole?

Facebook Security HoleWhile the new Facebook “reply to this email to comment” feature is certainly handy, it appears that the feature has inadvertently exposed a security hole in the Facebook comments system.

F-Secure detailed the security hole in a press release today, explaining that if a commenter’s email account is phished or hacked, it’s quite easy to spoof that user and reply to comments. When a commenter receives an email, it’s very easy to simply copy the “reply to” field and paste it into any email. As long as the subject line contains “Re:” the system will accept the comment and post it in the comments field.

Does this mark the rise of (more) spam comments?

While Facebook scammers still spam comments from accounts that get passwords stolen or phished, this type of hack is much more difficult for Facebook to control. Where Facebook could simply lock compromised accounts out until their owners change their passwords, it’s much more difficult for Facebook to fix compromised email accounts. It would be difficult for Facebook to work with email providers, especially smaller ones, to get compromised account holders to change their passwords. Facebook’s only recourse might be to delete the accounts of users with compromised email accounts.

If you’re interested in trying this exploit for yourself, send an email to this address and your comments should show up here. If you can’t get it to work, remember to add “Re:” to the subject line.