Facebook has responded to reports of a security issue that lets people post in Groups as if they’re someone else. It says this is a known problem with the SMTP email standard that it is working with email providers to close the hole. Facebook explains that it does use email verification, and “0ur system rejects most unauthenticated email to groups,” or flags suspicious emailed posts as “Unconfirmed Sender.” However, now it will do both more aggressively to protect users from being duped.
This morning a group of Facebook users posted about the vulnerability (but since deleted it). The security hole allows hackers employing server-side scripts or their own SMTP (simple mail transfer protocol) server to post to Facebook Groups as if they were someone else. That means it might look like you posted offensive or spammy text or a photo when really a hacker was the author.
The post was first spotted by The Next Web, though the outlet incorrectly stated that Facebook does not employ a verification system to authenticate email. In fact, “Facebook requires either SPF records or DKIM signatures to authenticate mail” and typically rejects unauthenticated messages. However, problems with the standard can allow exceptions through which Facebook typically flags, but it may occasionally miss some fraudulent posts.
In response to more awareness of the vulnerability, Facebook’s security team told me “We’ve been showing [the "Unconfirmed Sender" warning seen above] in most cases. We’re going to show more warnings, and limit the number of use cases [that allow for unauthenticated messages].”
Keeping groups safe is more important than ever now that Facebook is looking to lure businesses to the feature thanks to a integration with Dropbox launched today.
Facebook’s security team sent this full statement on the vulnerability to TechCrunch:
Facebook Group email updates, similar to all emails received over SMTP, do not provide authentication for the sender address. This is a known vulnerability of the SMTP system, but Facebook will seek to display a warning whenever the sender can not be authenticated. To help ensure a secure environment, our system rejects most unauthenticated email to groups, but there are still a few cases that we accept the message and warn the user due to a high rate of false positives and limited adoption of authentication standards. We’re working with the industry to develop better standards and practices to close those remaining holes. We remind all of our users to be careful whenever they receive a message from an unrecognized or unauthenticated source. For this and more tips please visit www.facebook.com/security.