Clicking a Facebook link logs me into another person's account

December 2017

Background

Last week I received a forwarded message from my mom's email account. I approach any "FWD: FWD: FWD: You have to see this!" type of email chain with skepticism. But... I was curious, and I determined that if it looked safe to proceed, I would. I moused over the "Open Facebook" link, copied the URL, and gave it a close inspection —

https://www.facebook.com/n/?********************

I've been around ccTLDs and have seen enough domain spoof tricks that I was confident the link was legitimate. I decided to check out what she had sent me.

I pasted the link into the address bar, hit enter, and suddenly found myself looking at my mom's news feed! Somehow I had been logged out of my account, and had been logged in to her account.

I immediately signed out and attempted to recreate this phenomenon, wondering if I was imagining things. Lo and behold, it worked again — I was logged out of Facebook, now I was logged in as her.

Technical Notes

It does not work in an incognito window
It does not work in a new Chrome "People" instance, even if I start off logged in on my personal account
It only works in my specific Chrome browser
It does work if I'm already logged in to my account
It also does work if I'm signed out of all accounts
I am 99% confident my mom has never logged into Facebook on this computer
Here's the forwarded email (personal info removed):
Every clickable link in that email logs me in; but here's the full "Open Facebook" link. I've removed my mom's email and her friend's user ID for privacy. https://www.facebook.com/n/?{mom's-friend}%2Fposts%2F10212496299814942&aref=1511993084134606&medium=email&mid=55f260918c1fcG5af35c4d77cdG55f2652aec4ceG318&bcode=2.1511993084.Abxk5s8psLBCN-Sfxn4&n_m={my-mom}%40{her-domain}.com
Here's a GIF. Please note that I've cropped a few frames and then used a screenshot of FB at the very end for privacy reasons. Just didn't want my mom's email or random contacts showing up.

Conclusion

Given that this only works in my specific browser window, I'd have to think it's due to cookies or something. I haven't cleared my cookies/cache, because I want to preserve any useful info before going to that step of the experiment.

Does anyone know what's going on?

PS — the video link she evidently wanted to share is that "slippery stairs" clip that's been going around :)

Originally published on DEV