A recent Facebook feature can be exploited to be a cyber-bullying tool in the wrong hands, a security vendor warns.
Facebook's new feature – "reply to this e-mail to comment on this status" – gives attackers a way to post messages on other people's Facebook pages, according to a blog by security vendor F-Secure.
These messages could include personal attacks that seem to come from a user but are actually written by someone who has compromised that person's e-mail account, for instance.
The intent of the feature is to allow Facebook users to respond directly from their e-mail when they receive e-mail notifications that include messages that have been posted to their Facebook accounts. They can respond without having to go to the Facebook site first, eliminating a step and thereby saving time.
But eliminating that step can also leave a crack in Facebook's armour, according to F-Secure security adviser for North America Sean Sullivan. Authenticating to the Facebook site before writing a reply drops out of the equation, so someone other than account holders can post. "They can put words in my mouth," he says.
If a user's e-mail account is compromised via phishing or direct hacking, spammers can respond to any Facebook notifications they come across, Sullivan says. It has posted a demonstration of how this can work here.
Facebook users can opt out of receiving the e-mail notifications altogether by adjusting their settings.