| Prefix: I haven't confirmed yet that the OP error report is legitimate/accurate. Haven't been on FB in a while. -- Yes. If you pay any attention to how users actually behave, this scenario is very obvious -- not just obvious, but observed, regularly. "You're not doing it right" is not an excuse -- in any measure -- in a scenario such as this. People forward emails. All the time. That often includes stuff they didn't intend to. Much less links they have no idea will provide the recipient access to their account. Reminder [sorry if this is a bit stereotypical]: Sewing circle Saturday at 2. "I should send this to Sue and Pam, so they don't forget this month." Or, Notice: Book club next Friday instead of this. "I'd better let Steve know. He never checks his schedule until the last moment, if then." At one point, I had to check BigCo's email flows and behaviors. I sure as heck checked for things like this. P.S. I guess I'll mention that one time, I caught a Google Docs non-email-related "lingering access" vulnerability. Google was going to close it as a non-issue or won't fix, until I pointed out its impact on their government Docs deployments and that I knew who to talk to on the government side. Then, it got fixed. I hope we're not going further down the "some people matter more than others" hole. We already have help triage by social media prominence. In that vein, maybe all that's left is to zero-day them (BigTechCo, in general), until they pro-actively improve their internal processes as well as external responsiveness. |
I wish I had a dime for every HN karma point, but when I suddenly had full access to my friends' FB account there's little room for other explanations. I was her: open and shut case.
https://imgur.com/a/AgTVgZK
Note the "Not you?" bit. This bug has a UI.