Whilst playing around with the Facebook API for Screenreach, I noticed that I was getting messages sent to my inbox that weren’t from any Facebook account that I had set up. It turns out that one of my email addresses has been associated with another Facebook account, all being it was an unconfirmed email address.
However, this is where the problem seems to lie. It seems that Facebook will send out message alerts to even unconfirmed email addresses which then in turn allows the unconfirmed email address to go through security and reset the password.
The security question in the reset password process asked for the date of birth of the user. As I didn’t know the answer and hence got it wrong three times, Facebook then emailed me a security code which could then be entered back into Facebook and so by passed the question itself.
Being the nice chap that I am, and after all at the time I thought it was my account in question, I have alerted the user to the change and given him access to his account back. However can’t seem to get hold of Facebook to tell them about what has gone on.
I am not sure whether it is totally a Facebook issue or whether the user should have been more careful, but to me the system shouldn’t have let me bypass the security question itself. Security should be paramount for everyone and this to me seems to be a failing in the system.