Clicking a Facebook link logs me into another person's account
Peter Kim Frank Dec 4 '17
Last week I received a forwarded message from my mom's email account. I approach any "FWD: FWD: FWD: You have to see this!" type of email chain with skepticism.
But... I was curious, and I determined that if it looked safe to proceed, I would. I moused over the "Open Facebook" link, copied the URL, and gave it a close inspection —
I've been around ccTLDs and have seen enough domain spoof tricks that I was confident the link was legitimate. I decided to check out what she had sent me.
I pasted the link into the address bar, hit enter, and suddenly found myself looking at my mom's news feed! Somehow I had been logged out of my account, and had been logged in to her account.
I immediately signed out and attempted to recreate this phenomenon, wondering if I was imagining things. Lo and behold, it worked again — I was logged out of Facebook, now I was logged in as her.
- It does not work in an incognito window
- It does not work in a new Chrome "People" instance, even if I start off logged in on my personal account
- It only works in my specific Chrome browser
- It does work if I'm already logged in to my account
- It also does work if I'm signed out of all accounts
I am 99% confident my mom has never logged into Facebook on this computer
Every clickable link in that email logs me in; but here's the full "Open Facebook" link. I've removed my mom's email and her friend's user ID for privacy.
Given that this only works in my specific browser window, I'd have to think it's due to cookies or something. I haven't cleared my cookies/cache, because I want to preserve any useful info before going to that step of the experiment.
Does anyone know what's going on?
PS — the video link she evidently wanted to share is that "slippery stairs" clip that's been going around :)