Why can I log in to my Facebook account with a misspelled email/password?
I've been playing around with different login forms online lately to see how they work. One of them was the Facebook login form. When I logged out of my account my email and password were autocompleted by my browser. Then I decided to misspell my email and see what would happen if I tried to log in.
To my surprise I logged in with no problem after changing my email from
[email protected]. I then started experimenting with different spelling errors and I had no problem logging in as long as it was not too far off my real email. I tried changing the domain name as well
[email protected], my email prefix
Then I also tried misspelling my password and as long as it was not too far off my real password I could log in no problem (with the password it worked when adding one random letter before or after the real password, but not when adding a letter in the middle of it).
I also checked the actual data sent in the request by looking at it in Chrome DevTools and in fact it was the wrong data sent.
How can this be? Should I be worried about my account's security?
If true (and it's a big enough claim that I'm going to want to verify it independently), then yes, everyone should be worried about account security, as it means passwords are stored in a reversible form.
@Ghedipunk to be more precise, it worked with a single random letter added before, and after the real password. Adding a random letter in the middle didn't allow me to log in.
That's an important distinction, with the random letter being before or after (and thanks for editing the question with that clarification as well; it helps)... That can be checked without storing it in a reversible form. With them allowing a bit of a fudge factor like that, it's time for me to generate an even longer password, though... ;-)
Can you reproduce this after deleting cookies, localstorage, and other storage? Or try it with a fresh browser profile. I suspect, that your username could still be stored in a cookie and facebook only tries to verify if you want to login to the account in the cookie, so they can accept minor differences, because they only need to detect if you want to use another account, but not what's the username of the current account.
It's worth adding that Facebook allows 2 factor authentication which vastly improves the security of your account
Would be interested to see what happens when you create an new account with a very similar email prefix.
Unless you're officially participating in one of Facebook's security bounty programs, you need to be very careful (i.e. stop it now) probing Facebook for security vulnerabilities. In general you should not probe other people's websites unless you've thoroughly covered yourself legally; otherwise you could run afoul of laws prohibiting hacking, and do so in a way that could land you in prison for quite a while. Here's an example: https://nakedsecurity.sophos.com/2012/02/20/jail-facebook-ethical-hacker/. Will look for a more extreme example...
Can't seem to find the other example; basically a white hat hacker was sentenced to prison time for entering a single-quote in a form on a public website as this was interpreted in court to have been an attempt at a SQL injection attack. Bottom line: do NOT assume that your actions will be taken as harmless.
Okay here's a link to a Quora answer that addresses some U.S. legal implications (note: IANAL) of probing the security of someone else's website: https://www.quora.com/Is-it-legal-to-test-a-website-for-vulnerability-without-permission-from-the-owner/answer/Kate-Vershov-Downing. And here's a SE Security answer that discusses this: https://security.stackexchange.com/questions/6355/at-what-point-does-hacking-become-illegal-us
And finally, here's a case where someone wanted to make sure the site they were using was secure so they probed its security and got convicted of a crime in the process (and got fired): https://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/. So unless you're part of their bounty program or you have been hired by them as a security researcher, you really need to stop probing their security immediately, for your own sake. No sense in going to prison for being smart and creative; better to find a safer route to satisfy your curiosity.
@99Problems-Syntaxain'tone AFAIK Facebook's two-factor authentication forces you to allow SMS 2FA
@bob but a single quote could be trying to find a hole. MIsspelling your email address with them correcting it is clearly functionality they designed. Surely you could never go to prison for misspelling your email address. Unless you misspell it with a SQL injection. And aren't these companies mad for pressing charges, they should talk to you and allow you to help. All they did was avoid the issue by putting someone in prison. It would be better to say "what did you find".
@Eoin I agree that everything you say is logical. Unfortunately it seems like law and logic don't always intersect (IANAL), plus I can see where a company might want to discourage unsolicited penetration testing from people outside the company, and prosecution is unfortunately an effective way to do that (not saying that's why charges were brought in these cases, just saying why I think they could have been brought). So I'd be very careful to avoid behavior that might get flagged as a possible hacking attempt. Just my two cents.
And everything I've seen written by security professionals online basically says the same thing: never probe security without permission and adequate legal protection (the latter means a documented legal agreement, and perhaps even some form of insurance if something does go wrong). Because in cases where it makes zero sense to do so, charges can be pressed, and you could lose the case and end up in prison. So I'm basically just repeating that advice here.
If you don't need to take the risk, don't take the risk. Although this information is also in the public, so you definitely don't need to take the risk as they have declared it.
@simplegamer my Facebook account uses app authentication (google's authenticator), so it doesn't force SMS 2FA
@bob dear gosh what if your finger slipped and you hit a single quote by accident without realizing it?! what if your cat ran over the keyboard and submitted the form?
@Michael Absolutely. Things happen, my main point is just don't do security probing if you don't have permission because you're liable to raise red flags and could get in a lot of trouble. If you're just using the system and accidentally type something weird once, you're probably fine. If not, then laws need a *serious* overhaul. But in general unsolicited security probing isn't a good idea. Not my words--I encourage you guys to check what I'm saying online.
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various permutations of the input you submitted and see if they match the hash they have in their database.
For example, if your password is "myRealPassword!" but you submit "MYrEALpASSWORD!" (capslock on, shift inverting capslock). The submitted password obviously doesn't match what they have stored in their database. Rather than reject you flat out, Facebook tries to up the user experience by trying to "correct" a few common mistakes such as inserting a random character before or after, capitalizing (or not) the first character, or mistakenly using capslock. Facebook applies these filters one by one and checks the newly "corrected" password against what they have hashed in their database. If one of the permutations matches, Facebook assumes you simply made a small mistake and authorizes your session.
While worrying at first glance, this is actually still perfectly secure for a few reasons. First and foremost, Facebook is able to do this without storing the password in plaintext because they are transforming your provided (and untrusted) input from the form field and checking if it matches. Secondly, this isn't very helpful for someone trying to brute force the password because online attacks are nigh impossible thanks to rate limiting and captchas. Finally, the odds of an attacker/evil spouse knowing the text of your password and not the capitalization are abysmally small and so the risk created as a result of this feature is equally small.
Should you be worried? No, probably not.
Comments are not for extended discussion; this conversation has been moved to chat.
It would help to know this when creating a password. For example, this at least appears to make capitalization useless/irrelevant insofar as security, so you may as well not use it - which saves a bit of brainspace.
@ChrisMoschini unless you only capitalize the first word - I completely disagree. As is explained in the answer, facebook tries the password with inverted capslock, so, taking from his example, if you send "myrealpassword" or "MYREALPASSWORD", it won't work.