Total Pageviews

Facebook Shortcut Exposed User Data

Facebook Cancels Shortcut Over Concern for Security

SAN FRANCISCO - What was supposed to be a shortcut for Facebook users to log into their pages ended up exposing their e-mail addresses - and, in some cases, potentially allowing access to their accounts as well.

A Facebook spokesman said on Friday that the company had created the shortcut, called auto login, to let some users go directly to their pages by clicking on a Web link sent to their e-mail addresses. Once they clicked on the link, they could get into their accounts, rather than having to go to Facebook.com and log in.

Some of the links required users to type their passwords, while others did not, the company said.

On the Web site Hacker News, a technology discussion board, Matt Jones, an engineer at Facebook, said the company had offered the service for “ease of use” and never made the Web addresses “publicly available.”

But they did become publicly available, as the discussion on Hacker News revealed on Friday.

The Facebook spokesman, Frederic Wolens, said some users may have posted the links on the Web, allowing anyone to search for them. Those links could give a stranger access to the Facebook pages connected to them, as well as the e-mail addresses of those users. Mr. Wolens said he had no explanation why someone would post the links.  

When Facebook found the problem, it discontinued the shortcut.

The Hacker News thread said over one million Facebook accounts had been affected. Facebook could not confirm that figure on Friday afternoon.

TrendMicro, a private security company that offers safety tools for Facebook users, said Web address shortcuts were inherently dangerous because they could ultimately end up on the Web.

“Many, many hackers are targeting these portals because of the ubiquitous trust and use of them,” said Tom Kellermann, vice president for cybersecurity at TrendMicro. He added, “You don't take shortcuts through the woods in cyberspace.”

The news of the security hole comes a week after a Bulgarian blogger, Bogomil Shopov, said he had bought 1.1 million Facebook users' names and e-mail addresses on the Web for $5. He found the information for sale on a marketplace site, gigbucks.com. The items are no longer available.

Mr. Wolens of Facebook said the data had been acquired and compiled by someone who took whatever information Facebook users made public on their pages - and from other publicly available data about those users.

Mr. Kellermann of TrendMicro said the problem with the shortcut could explain how the names and e-mail addresses that Mr. Shopov had found became public. Facebook said the security flaw and the user data for sale had nothing to do with each another.

“We have no reason whatsoever to believe that these two incidents are related,” Mr. Wolens said.

A version of this article appeared in print on November 3, 2012, on page B2 of the New York edition with the headline: Facebook Cancels Shortcut Over Concern for Security.