Facebook Mobile Email Security Flaw Exposed

I just wanted to post about a flaw i was stung with in facebook, credit goes to Craig Hamnett who "discovered" it and used it to frape and utterly confuse me.

The Flaw!

This isn't a huge flaw; but it could be used against you by collegues, "friends" .. who knows who else. The basic problem is; if executed this flaw can be used to post updates, images, etc to your facebook wall. At this point i'm sure your thinking well that sounds pretty huge to me! the only reason i count it as not "huge" is that the person fraping you would need to know your password or have 30seconds with access to your facebook account whilst its logged in in order to gather the information needed to be able to mount an attack on your feed at any given time.

Ok, ok - enough jabber; lets get to it - the flaw is to do with "facebook mobile email" this is a feature within facebook mobile, that lets you update your facebook feed via email; basically you are provided with an email address by facebook and mailing this will update your feed.

In order to use this feature go to http://www.facebook.com/mobile whilst logged in on a non mobile device; at the bottom somewhere you should see something that looks like the image below on the left.

As you can see it lists the email address i need to use to update my feed. (for the record i'm not stupid enough to post the email address for my own account on the internets). Now some of you might be thinking "whats wrong with that, nifty feature" - and your not wrong; it is. The issue is this; anyone with that email address can now send an email from any email client / address in the world, and it'l be posted from you on your facebook wall! eeek .. so a colleague got on my pc for 30 seconds and now they have access to my wall at any time, you don't even need to be logged into facebook. I'm sure a few of you thinking this isn't a huge deal, as you need to be able to logged in to gain the address; but in a world of shared offices and public computers it really is; especially if like me you were unaware of this feature and had no idea how the frapings where taking place and when you finally figure out whats going on! its a pretty hidden away method to reset it!

Resetting the email address

Some of you might be here because this has happened to you and facebook provides no information on how to reset the address .. well i have some bad news; you can't reset it and if you could i wouldn't tell you how! ... just kidding haha .. ok maybe that wasn't funny. Right here we go; go back to http://www.facebook.com/mobile whilst logged in; find the block on the page that looks like the picture to the right. Then click the "Find out more" link; i've highlighted it in red.

You'll be presented with a popup that looks something like the one below.

Now simply click "refresh your upload email";  you'll be prompted to confirm you want to reset the email, accept. Thats it the email is reset. Not too hard when you know how, but its hardly obvious until you get in the popup.


For me the two worst things about this "feature" and the things that make me frown are simply; 1) there doesn't seem to be any way to turn it off once its turned on and 2) it could be so much more secure by simply making it so that the email address that sends the email has to be one linked to your facebook account; now i know email addresses can be spoofed, but even that is easily traceable unless you really know what your doing! which lets face it your average colleague committing 30second frape isn't going to know how to do.


comments powered by Disqus