[jpadvo]

Here's one theory and analysis of what might have happened. Some people's emails got out into the public internet, and were indexed. Some of these emails were from Facebook, and included links to resources that require login. These links pre-populated the username field for convenience, or in some cases auto-login the user. Facebook's engineers probably did not anticipate email notifications to users being crawled by Google. Live and learn, eh?

But could Facebook have done something to prevent or minimize the damage caused by these leaked emails?

1. Lets start with the auto-login links, as those are the scariest. Do those links use one-time-use tokens, and do the tokens expire? If either or both of those steps was skipped it makes this leak much more serious, and speaks to negligence or disrespect for user security. If Facebook has both of those security measures in place, though, they did all they realistically could. If somebody lets their private email get indexed by Google (seriously, though, how does that even happen??), that's their own problem.

2. The other class of leaked urls link email addresses to Facebook profiles. This isn't as immediately scary, and for a lot of people it wouldn't even matter. But it is easy to imagine scenarios where this kind of privacy would be important to someone, and this kind of leak would be just as scary as someone being able to log in as them. Frankly, I never would have thought of securing this, and I doubt Facebook did anything to secure it. Going forward, though, it would probably be worth it for them to link auto-username-populating through one-time-use, expiring tokens as well.

So, it looks like Facebook probably got hit with a bizarre edge case privacy / security issue. There are likely things they could do to make their system more resistant to this kind of thing, but at the same time they probably didn't do as badly as this might make them look at first glance.

Again, this is speculation, any confirmation or disconfirmation would be great.

[nico-roddz]

This is how everything started:

A friend forward me an email from a FB group notification

Something like:

http://www.facebook.com/n/?groups%[id here]%2Fpermalink%[id here]%2F&mid=[id here]&bcode=[id here]-mjoi&n_m=[email adress here]

When I clicked the url I got automatically logged into my friend's account.

So is definitely a Facebook security issue.

Then I tried some google searches to see if I could find some urls containing the parameters:

bcode= &email= n_m= mid=

Not a big deal, really.

[dhimes]

Thanks for catching this nico-- looks like it's been removed from Google.

[nico-roddz]

You're welcome!

[cbjoe]

I suspect this was caused by Google software, most likely Chrome or Google Toolbar, sending these private URLs to Google to be indexed.

[Matt_Cutts]

See elsewhere on this discussion where I debunked your theory.

[cypherpunks01]

This theory seems partially supported by the fact that a lot of email addresses here are on the same domains:

  yahoogrupos.com.br
  yahoogroupes.fr
  asdasd.ru
  blogger.com

Seems like emails on these domains are much more easily viewable/leakable/indexable than normal personal email addresses?

EDIT: Googling one of the discovered gmail address revealed a Facebook email (with 'bcode') being auto-blogged at weight-loss-information-123.blogspot.com https://encrypted.google.com/search?hl=en&q=danielsams20... - some kind of malware maybe?

[akaBruce]

Going through my own inbox for Facebook emails, it attaches my email address in the n_m parameter, the bcode parameter, and a mid parameter to all the links it gives me. This includes links to my friends' profiles, events, group posts, etc.

As far as an expiration on the auto-login, I rarely click on the links Facebook provides in my email. (I like to get the notification to remind me to go on Facebook later.) The last one I got was about 25 hours ago. I didn't use the link before and it did not log me in when I clicked it just now.

[macchina]

I clicked on some profiles, and I noticed that many of the e-mail addresses populated were @asdasd.ru — the domain of a Russian mailinator-type service. Something like that might be indexed.

[Evbn]

Huh, I wonder now if account hijacking is the actual design purpose of mailinators.

[alxndr]

"Some people's emails got out into the public internet, and were indexed. Some of these emails were from Facebook, and included links..."

Doesn't Google's toolbar phone home with the URLs you click on? That could be a way to get supposedly-private URLs into Google's list of URLs to be visited.

[stanleydrew]

Matt Cutts has publicly stated here and in other forums that the Google Toolbar does collect click data but does not use the data to insert URLs into Google's index. Here's a recent(ish) post on the matter:

http://www.seroundtable.com/google-toolbar-indexing-12894.ht...

[randartie]

That's an interesting idea, but as someone noted, most of the emails involved here come from a small set of domains, such as blogger or anonymous mailinator type emails (emails which are possibly crawled by google often!)

I think if it were google's toolbars picking up urls in emails, that there would be many more email domains here.