Security Risks: The Option to Respond to Comments on Facebook
Earlier this month we reported that popular social networking site Facebook lets you respond by email whenever someone posts a comment. The whole thing went something like this: when someone commented on your status update, one of your photos or a Wall post you would get an email notification about it; to respond to that comment you could reply directly to the email notification.
This feature was meant to make things simple, more convenient for the Facebook user. Normally you would have to access your inbox to read the notification email, then access your Facebook account, then respond to the comment. Thanks to this feature, after reading the notification email, you could just hit “Reply” and type your message – which would be sent to Facebook without you having to log in.
Turns out that there is a price to pay for this convenience – the price is security. A security problem with this “respond by email” feature has been discovered by F-Secure, company that specializes in providing antivirus, antispyware, firewall and internet security tools for home users and businesses.
“Facebook recently published a nice new feature: Reply to this email to comment on this status. This seems like a very handy feature to have if you're trying to converse with friends on the go. But is it secure? As it turns out, based on our testing, anyone can use the Reply To address, from any e-mail account. Of course, the notification links are only sent to the account holder's primary e-mail, but we all know just how often e-mail accounts are phished/hacked, right?” said F-Secure.
Facebook generates a unique email address whenever a comment is posted on the social networking site. That email address’s job is to listen for replies. What F-Secure have discovered is that anyone, from any email address can reply to that email – email which is in plain site by the way. As long as someone can see your wall, that person can see your reply addresses.
F-Secure fears this could become a target for spammers, phishers and other people with malicious intent.
This feature was meant to make things simple, more convenient for the Facebook user. Normally you would have to access your inbox to read the notification email, then access your Facebook account, then respond to the comment. Thanks to this feature, after reading the notification email, you could just hit “Reply” and type your message – which would be sent to Facebook without you having to log in.
Turns out that there is a price to pay for this convenience – the price is security. A security problem with this “respond by email” feature has been discovered by F-Secure, company that specializes in providing antivirus, antispyware, firewall and internet security tools for home users and businesses.
“Facebook recently published a nice new feature: Reply to this email to comment on this status. This seems like a very handy feature to have if you're trying to converse with friends on the go. But is it secure? As it turns out, based on our testing, anyone can use the Reply To address, from any e-mail account. Of course, the notification links are only sent to the account holder's primary e-mail, but we all know just how often e-mail accounts are phished/hacked, right?” said F-Secure.
Facebook generates a unique email address whenever a comment is posted on the social networking site. That email address’s job is to listen for replies. What F-Secure have discovered is that anyone, from any email address can reply to that email – email which is in plain site by the way. As long as someone can see your wall, that person can see your reply addresses.
F-Secure fears this could become a target for spammers, phishers and other people with malicious intent.
