Background
Last week I received a forwarded message from my mom's email account. I approach any "FWD: FWD: FWD: You have to see this!" type of email chain with skepticism.
But... I was curious, and I determined that if it looked safe to proceed, I would. I moused over the "Open Facebook" link, copied the URL, and gave it a close inspection —
https://www.facebook.com/n/?********************
I've been around ccTLDs and have seen enough domain spoof tricks that I was confident the link was legitimate. I decided to check out what she had sent me.
I pasted the link into the address bar, hit enter, and suddenly found myself looking at my mom's news feed! Somehow I had been logged out of my account, and had been logged in to her account.
I immediately signed out and attempted to recreate this phenomenon, wondering if I was imagining things. Lo and behold, it worked again — I was logged out of Facebook, now I was logged in as her.
Technical Notes
- It does not work in an incognito window
- It does not work in a new Chrome "People" instance, even if I start off logged in on my personal account
- It only works in my specific Chrome browser
- It does work if I'm already logged in to my account
- It also does work if I'm signed out of all accounts
I am 99% confident my mom has never logged into Facebook on this computer
Every clickable link in that email logs me in; but here's the full "Open Facebook" link. I've removed my mom's email and her friend's user ID for privacy.
https://www.facebook.com/n/?{mom's-friend}%2Fposts%2F10212496299814942&aref=1511993084134606&medium=email&mid=55f260918c1fcG5af35c4d77cdG55f2652aec4ceG318&bcode=2.1511993084.Abxk5s8psLBCN-Sfxn4&n_m={my-mom}%40{her-domain}.com
Here's a GIF. Please note that I've cropped a few frames and then used a screenshot of FB at the very end for privacy reasons. Just didn't want my mom's email or random contacts showing up.
Conclusion
Given that this only works in my specific browser window, I'd have to think it's due to cookies or something. I haven't cleared my cookies/cache, because I want to preserve any useful info before going to that step of the experiment.
Does anyone know what's going on?
PS — the video link she evidently wanted to share is that "slippery stairs" clip that's been going around :)
Top comments (5)
so weird! have you looked into whether or not your mom's account is connected with yours in any capacity?
Not seeing anything notable in my FB Login/Security page.
Hi Peter,
This exact issue happened to my mother where she clicked an emailed link from Facebook and it logged her into my brother's account. Did Facebook ever get back to you or she'd any light on the cause of this issue.
Thanks
Micheal
Seems like you'd want to report this to facebook.
I just submitted a security disclosure.
The reason I was comfortable sharing this post publicly without doing so before is because I figuratively stumbled into this issue. I wasn't poking around or doing any level of vulnerability testing — just clicking a link @facebookmail.com sent me.
I've also been unable to reproduce it outside of my current browser window, which makes me think it's specifically related to some cookies I have saved.
I'll follow up (as allowed) if/when I hear back.