January 13, 2010
Facebook Enables Commenting by Replying to Notification Emails: Will this be Exploited to Harvest Email Addresses?
Facebook has enabled replying to comments through email (see Facebook's blog post on "Replying to Comments through Email" at http://blog.facebook.com/blog.php?post=206480947130 ).
Overall, I would call this a good thing as it seems to me that it might reduce the number of users who click on links in Facebook notification emails to access their accounts (which is something I'm always advising people *not* to do, since so many phishing attacks work by putting malicious/fraudulent URLs into convincing-looking social media notification emails).
Haven't spent a ton of time thinking about the various security ramifications of this new feature, but one thing I predict:
I think it's only a matter of time before we see spoofed Facebook notification phish/spam that takes advantage of this feature to harvest email addresses. (e.g., the recipient replies to the fraudulent FB notice thinking it'll publish a comment, but all it does is confirm to the spam/phish sender that, indeed, there is a valid email recipient at that address.)
Overall, I would call this a good thing as it seems to me that it might reduce the number of users who click on links in Facebook notification emails to access their accounts (which is something I'm always advising people *not* to do, since so many phishing attacks work by putting malicious/fraudulent URLs into convincing-looking social media notification emails).
Haven't spent a ton of time thinking about the various security ramifications of this new feature, but one thing I predict:
I think it's only a matter of time before we see spoofed Facebook notification phish/spam that takes advantage of this feature to harvest email addresses. (e.g., the recipient replies to the fraudulent FB notice thinking it'll publish a comment, but all it does is confirm to the spam/phish sender that, indeed, there is a valid email recipient at that address.)
