[Hyperized]

It actually is a huge risk.

You make the same flawed assumption many people (including the folks over at FB) make, that your email is private and that once it's breached it's game over anyway.

The reason we came across this issue a while ago (see below) is that an elderly family member was forwarding emails when people had invited this person to an event. This family member knows better than to forward emails regarding password resets and account details. They really didn't do anything wrong. They just unbeknownst to them shared full account access to 50 other people.

Nowhere in this email does it say 'dont forward' and the expectation of anyone to click at one of those email links would be to be prompted credentials when they are not currently logged in as that person. Now, no matter on what device you are, it seems you can with one click be granted access to the entire account based on that link alone.

It's not even a one time use token, it's a all free pass.

Social engineering wise it's so simple: "Hey buddy, that party tonight, do you still have the invite email? I forgot and I'm on my way to work now." - done.

[pasbesoin]

Prefix: I haven't confirmed yet that the OP error report is legitimate/accurate. Haven't been on FB in a while.

--

Yes. If you pay any attention to how users actually behave, this scenario is very obvious -- not just obvious, but observed, regularly.

"You're not doing it right" is not an excuse -- in any measure -- in a scenario such as this.

People forward emails. All the time. That often includes stuff they didn't intend to. Much less links they have no idea will provide the recipient access to their account.

Reminder [sorry if this is a bit stereotypical]:

Sewing circle Saturday at 2.

"I should send this to Sue and Pam, so they don't forget this month."

Or,

Notice: Book club next Friday instead of this.

"I'd better let Steve know. He never checks his schedule until the last moment, if then."

At one point, I had to check BigCo's email flows and behaviors. I sure as heck checked for things like this.

P.S. I guess I'll mention that one time, I caught a Google Docs non-email-related "lingering access" vulnerability. Google was going to close it as a non-issue or won't fix, until I pointed out its impact on their government Docs deployments and that I knew who to talk to on the government side. Then, it got fixed.

I hope we're not going further down the "some people matter more than others" hole. We already have help triage by social media prominence.

In that vein, maybe all that's left is to zero-day them (BigTechCo, in general), until they pro-actively improve their internal processes as well as external responsiveness.

[peteforde]

Not sure what to tell you... it's been corroborated by several people in this thread and apparently, FB considers this a feature.

I wish I had a dime for every HN karma point, but when I suddenly had full access to my friends' FB account there's little room for other explanations. I was her: open and shut case.

https://imgur.com/a/AgTVgZK

Note the "Not you?" bit. This bug has a UI.

[pasbesoin]

I was just saying I hadn't experienced it myself nor tested it.

For the rest, I agree. This behavior is unacceptable, on the part of FB.