I actually reported this very issue to FB over two weeks ago and at first they denied this being an issue, it's a feature instead. After pushing a little I had them admit that this is actually a real security leak, however they argued that I was _not_ the first one to find and report this. That means no six figure bounty. They have since closed the ticket with what's basically a: will fix in the future.

After some discussion I found the following:

- Facebook at the very core assumes you don't forward your emails, the security staff I talked to didn't seem to understand this is a very basic flawed assumption.

- It's by no means a one time use token, you can keep using it over and over again. I don't understand why, they could've just used a single use token if anything.

- It's bound by some kind of security mechanism, and from my PoC I found it to be simply your IP. I suspect your friend has logged onto or simply used Facebook from your IP address.

- The emails don't indicate the button you are about to press actually contains private information. This is bad UX. If people were told that the emails should be kept private and not shared (not the case) then this could be different.

This _seems_ to be a feature that they built so people can log in, even if they have forgotten their passwords, in order to keep user engagements high.

It also opens up a can of worms. For example, if you break up with a partner and you still have an ancient forwarded email, you can now simply log in as them and have full control over their account. I suspect there's also little protection for public WiFi that shares the same IP, such as coffee places, cafes/bars or public transport hubs. If you see anyone there that has ever forwarded you an email, you now own their account ;).

But remember folks, that's not a bug. It's a feature!

Edit: At this point I actually don't believe this is new for FB. For me this is proof that business overtook good engineering and that there's simply a box checked with 'accepted risk'. There is either no actual previous report or people have been reporting this for a long time, but there seems to be no willingness to fix this.

To me it seemed to be hugely connected to last weeks '50 mil account token' leak but this is separate, accounts that I tested my PoC on can still be accessed and it's telling that even after last weeks PR nightmare this 'feature' is still online.