Facebook has disabled a feature that contained a security flaw allowing access to some accounts without a password.

Facebook has disabled a feature that contained a security flaw allowing access to some accounts without a password.

 
The vulnerability affected as many as 1.32 million Facebook accounts, with direct links to those accounts that bypass the password requirement featuring on a Google search.
 
Matt Jones, security engineer for Facebook, said that the links in question are designed to be sent directly to the email addresses of account holders to log back into their accounts more quickly, such as in the case of email notifications for status updates. However, some of these links had been shared in the wild, thanks to hacked emails, throwaway mail websites, and services with poor protection of archived messages.
 
 
Most of the links can only be clicked once, which means many of them have already expired, but Facebook decided to disable the quick access feature until better security is put in place. It is not clear how it will address the issue of allowing easy access without potentially compromising accounts.
 
Facebook was keen to stress that it never made any of those links “publicly available or crawlable,” blaming the situation on external websites who had made the information available to search engines.
 
Most of the users affected by the vulnerability are in Russia or China, and Facebook said it has taken steps to secure the accounts of these users and anyone else who recently used the feature.
 
Source: BBC