Beware Of Facebook Comment Spoofing

F-Secure has suggested that Facebook’s new reply-by-email feature may be exploitable. The press release explains that malicious users can respond to any thread on Facebook as long as they have the proper thread email address. The full explanation is this as follows.

When there is a posted item or status update available on Facebook, and a user leaves a comment, a thread begins. All the users on the comment thread receive email updates of the latest activity on the thread. Facebook recently enabled users to respond to this thread directly from their email, just by replying to the email notification.

The problem is, that email notification address is accessible by anyone. Meaning that if someone were to find that email somehow, they could respond on this thread, regardless of whether they’re your Facebook friend. Unfortunately for Facebook, it’s relatively difficult to control this security vulnerability. As Jacob Friedman points out:

While Facebook scammers still spam comments from accounts that get passwords stolen or phished, this type of hack is much more difficult for Facebook to control. Where Facebook could simply lock compromised accounts out until their owners change their passwords, it’s much more difficult for Facebook to fix compromised email accounts. It would be difficult for Facebook to work with email providers, especially smaller ones, to get compromised account holders to change their passwords. Facebook’s only recourse might be to delete the accounts of users with compromised email accounts.

So yes, there’s very little you can do to protect yourself against this problem aside from using good email security practices. Awareness, however, is the best form of protection! As a side note, this feature has been long requested and was certainly welcome from me, with my many, many status update comments posted to my profile (/sarcasm).