I’m documenting this here since I could potentially need further documentation on this matter in the future.
A friend of mine (one of the people in the stable of assets Corry Area Consulting can utilize for large projects) reached out to me this morning and asked if I had ever seen a certain behavior on Facebook.com before. I had not. I went ahead and tested it myself. I confirmed the issue is legitimate. We tested an array of operating systems, browsers, and settings, and we were able to reproduce at will what we believe to be a critical flaw in Facebook’s security.
We have submitted a report via https://www.facebook.com/whitehat and in accordance with Facebook’s responsible disclosure policy we will publish no further details on this matter any time within the next 30 days, unless the issue is fixed before then. We hope to provide some more information on this exploit in the future, and sincerely hope that Facebook addresses this concern quickly.