A Nice Big FriendFeed Bug: Impersonate Anyone!

Screen shot 2009-09-11 at 3.48.15 PM

There’s quite a big vulnerability with FriendFeed right now. Using the FriendFeed By Email function, apparently anyone can post a message as anyone else on FriendFeed. For example, someone posted this pretending to be FriendFeed co-founder Bret Taylor.

Obviously, this is a huge security problem. When it was spotted just about an hour ago, FriendFeed jumped on it quickly, and has shut down email posting while they look into the issue. (Good to know they can still hop on these problems with FriendFeed even though they are now technically Facebook employees.) Still, you have to wonder if this bug has existed for months, or however long this feature has existed?

We’ve reached out to FriendFeed to see if there have been any serious compromises because of this bug.