Clicking a Facebook link logs me into another person's account

peter

Peter Kim Frank

Posted on December 4, 2017

Clicking a Facebook link logs me into another person's account

Background

Last week I received a forwarded message from my mom's email account. I approach any "FWD: FWD: FWD: You have to see this!" type of email chain with skepticism.
But... I was curious, and I determined that if it looked safe to proceed, I would. I moused over the "Open Facebook" link, copied the URL, and gave it a close inspection β€”

https://www.facebook.com/n/?********************

I've been around ccTLDs and have seen enough domain spoof tricks that I was confident the link was legitimate. I decided to check out what she had sent me.

I pasted the link into the address bar, hit enter, and suddenly found myself looking at my mom's news feed! Somehow I had been logged out of my account, and had been logged in to her account.

I immediately signed out and attempted to recreate this phenomenon, wondering if I was imagining things. Lo and behold, it worked again β€” I was logged out of Facebook, now I was logged in as her.

Technical Notes

  • It does not work in an incognito window
  • It does not work in a new Chrome "People" instance, even if I start off logged in on my personal account
  • It only works in my specific Chrome browser
  • It does work if I'm already logged in to my account
  • It also does work if I'm signed out of all accounts
  • I am 99% confident my mom has never logged into Facebook on this computer

  • Here's the forwarded email (personal info removed):

  • Every clickable link in that email logs me in; but here's the full "Open Facebook" link. I've removed my mom's email and her friend's user ID for privacy.
    https://www.facebook.com/n/?{mom's-friend}%2Fposts%2F10212496299814942&aref=1511993084134606&medium=email&mid=55f260918c1fcG5af35c4d77cdG55f2652aec4ceG318&bcode=2.1511993084.Abxk5s8psLBCN-Sfxn4&n_m={my-mom}%40{her-domain}.com

  • Here's a GIF. Please note that I've cropped a few frames and then used a screenshot of FB at the very end for privacy reasons. Just didn't want my mom's email or random contacts showing up.

Conclusion

Given that this only works in my specific browser window, I'd have to think it's due to cookies or something. I haven't cleared my cookies/cache, because I want to preserve any useful info before going to that step of the experiment.

Does anyone know what's going on?

PS β€” the video link she evidently wanted to share is that "slippery stairs" clip that's been going around :)

πŸ’– πŸ’ͺ πŸ™… 🚩
peter
Peter Kim Frank

Posted on December 4, 2017

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Open-Source != Transparency
opensource Open-Source != Transparency

November 21, 2024

System Design Covering Fundamental Concepts
systemdesign System Design Covering Fundamental Concepts

October 14, 2024

Who is a Hacker?
cybersecurity Who is a Hacker?

October 11, 2024

Artificial Intelligence and Coding
security Artificial Intelligence and Coding

October 21, 2024