Hackers Can Post Pictures and Text as You in Facebook Groups

The post-by-email feature in Facebook Groups has opened up a new wave of security concerns as The Next Web has reported how the feature can be easily abused by hackers. The feature could allow an online attacker to post pictures or plain text as anyone that is a member of any given Facebook group. In order to do this, the hacker would only need access to a local SMTP server and would need to know what your email address for your Facebook log-in is.

As for how it’s done, it’s devilishly simple. The attacker just has to change the “from” field in a new email and then send the email to the Facebook group’s email address. Facebook has no verification system; it simply sees that an email is coming from the user’s email address and assumes it’s actually them. Here are two possible solutions, as put forward by The Next Web:

“By enabling verification of a security token: Facebook may give you one security-token which will be known by you and YOU ONLY, and you will have to include it somewhere in the mail (body/subject) while using this ‘POST BY EMAIL’ feature. Once they verify it as you, they will allow that post to go to the group wall.

By verifying the origin of the mail: Once you use this ‘POST BY EMAIL’ feature, Facebook may send you a confirmation/verification link to your email address which must click on to verify the authenticity of your content.”

Hopefully Facebook will act soon to solve this issue. What other simple steps could Facebook take to lock down its users’ privacy?


This article appears courtesy of our friends at Facecrooks.com.
You can view the original version here.