Facebook Active Sessions Security Breach

Be aware of this Facebook security breach/bug.

If you go under Facebook -> Account Settings -> Security -> Active sessions make sure you end undesired sessions with weird IPs and weird browsers.

In my case I saw weird sessions somehow around 3 weeks ago with a weird browser coming from a specific IP. I’m very careful and I only use Facebook on computers I trust therefore it worried me. I called my ISP and asked them to provide me with my IP history. It turns out the IP with the weird browser/weird location belonged to me on that specific date. Therefore Facebook is showing me information about another user which is a security breach. This is not a big security breach as I can only get the user’s browser, IP and activity but the real problem there is that it’s pretty scary as somebody might think his account might be compromised by somebody else when in fact it is not the case.

The bug lies in that Facebook still associates that IP with me so it’s only using my IP as an unique identifier, pretty scary. I hope it’s only a UI issue. Facebook should use a cryptographically strong unique token as the unique identifier.

Conclusion: Facebook should fix this security breach and also show the active sessions of m.facebook.com