We've all seen the emails, "*FRIEND* wants to be friends with you on Facebook", or "*FRIEND* commented on your status."
When you receive these messages there is a convenient button "Confirm friend request" or "See comment" embedded in the email message.
To ensure a frictionless experience, Facebook was embedding a cookie-like identifier in the links so you would not need to login to Facebook to acknowledge friend requests and other messages.
Anytime there is a method to bypass a security mechanism it will be abused and this feature was no exception.
