Facebook users able to access others’ inboxes?
Updated
Facebook was down for hours today — the company’s error screen says this was due to an upgrade.
Multiple sources, though, are pointing to an error which lets users log in as other users and read the contents of their inboxes — although we have yet to see this for ourselves. We’re awaiting a response from the company.
A blog called Mdibb has the following report:
So I cleared the cookie and went back to Facebook again to log in. But now the Facebook page was showing me a completely different email address. A quick look in the source code and sure enough the email address was hard-coded into the
tag’s value attribute! If I refreshed the page immediately I got my email again, but if I closed the browser and left it for a few minutes then went back - bingo! Another person’s email address had appeared! I wonder how many “live” email address got harvested today? I know I saw at least 5 or 6 and I was only looking for a few minutes…So fast forward another couple of hours and I visit facebook again - now more out of curiosity than clinical addiction - and there is a notice up (click for larger version):
Pardon my paranoia, but is this not pretty odd? No prior warning, no adverts, no schedule, the source code has what looks like some frantically hand-coded HTML using
and
despite the XHTML doctype . Makes you wonder. What happened today Facebook?
Source: VentureBeat