nico-roddz's comments

You're welcome!

For the curious. Google results before patch:

When you like or share a post in your newsfeed, you're sending a linkback to the original post.

So, if your newsfeed is public "to everyone" Google is able to crawl and index the content on it (discard the original post privacy settings)

Thanks Matt,

My only concern is my account security (not money).

I found this issue with almost no technical knowledge, so the crazy thing is:

How many back doors should be over there ready to be exploited by spammers?

BTW, a big "report security issue" button on https://www.facebook.com/help/ would certainly help next time.

Thanks again,

Nico

This is how everything started:

A friend forward me an email from a FB group notification

Something like:

http://www.facebook.com/n/?groups%[id here]%2Fpermalink%[id here]%2F&mid=[id here]&bcode=[id here]-mjoi&n_m=[email adress here]

When I clicked the url I got automatically logged into my friend's account.

So is definitely a Facebook security issue.

Then I tried some google searches to see if I could find some urls containing the parameters:

bcode= &email= n_m= mid=

Not a big deal, really.

It's not an accident. You can even get fake urls indexed

Use this Google's query:

inurl:bcode=[]+n_m=[] site:facebook.com

Same thought. It must be really easy if you use an scraper and decode the urls.

It's really weird.

It's seems that Facebook uses robots.txt to block this pages

But, depending of the amount of inbound links, Google will index the urls anyway.

It's a common issue.