Today I received the below email with subject "Confirm your ownership of firstname.lastname@example.org" asking me to claim my facebook email address, first it seemed like an phishing email but on closer inspection of links and sender headers it turned out to be a genuine email with correct links and real facebook as sender. I was pretty sure there was something fishy and on researching the target link https://www.facebook.com/claim_email/check_code?email=myemail%40gmail.co... I discovered a recent working exploit for facebook which only got public on June,14 2013 and was used by someone to try and hack my facebook account. This noob friendly hack exploits a critical vulnerability in Facebook which allows a hacker to easily take complete control over any Facebook account if victim clicks the link while logged into Facebook.
This exploit works as Facebook allows a user to "claim" an existing email id on their system, which means if you have an email-id registered on their system and somebody claims your email id from their facebook profile the above email gets generated asking for your permission to do so but is very ambiguous and does not clarify what is getting done and the effects it can have. The problem arises if you click the link above, no verification is done and the hacker is allowed full-access to your account because you allowed the addition of alternative email which in reality belongs to the hacker. Check out the video demo below.