Facebook login page still leaks sensitive info
Facebook's login system continues to spill information that can be helpful to phishers, social engineers and other miscreants attempting to scam the more than 500 million active users of the social networking site. When a legitimate email address is entered along with an incorrect password, the authentication system returns an …
There's no excuse to get this fixed immediately. They only have one main login page and a handful of others for cross-site logins; how many changes do they need to make?
It's weird to see you talking of going to all that trouble, because I figured it was common knowledge that you can just enter an email address into Facebook's search box. The Facebook account matching that email address is returned regardless of whether the account holder chose to share the information.
"It's weird to see you talking of going to all that trouble, because I figured it was common knowledge that you can just enter an email address into Facebook's search box."
Except that you can only do a search if you are logged in.
This vulnerability can be used to verify email addresses, so would be useful to spammers.
he could log into because ... ?
Hate to say it by the guy has a serious point. There's no security to creating a Facebook account. Spammers could create 1 per hour per bot to validate and skim addresses if they so chose.
I also note that last week's bug is not fixed so much as duct-taped together.
If you enter an invalid password on a machine where the cookies from the previous session still exists, Facebook will continue to offer up the full name of the account holder.
It's not as serious as the original bug which displayed such information irrespective of the cookie, but it's still dangerous for those on shared or public computers. It's also completely unnecessary: in what situation would the full name of the user be useful?!
I also haven't done any research into whether the cookie that decides whether a name is shown might be forged. I'll leave that to the collective wisdom of the El Reg journos and commentards.
Most systems (e.g., ftp and ssh servers) stopped leaking data this way about twenty years ago. There is no excuse whatsoever for designing the login page this way.
That their 'fix' is to stop displaying names and pictures, rather than changing the underlying behavior, is yet another demonstration that they have no understanding of privacy or security.
"Most systems (e.g., ftp and ssh servers) stopped leaking data this way about twenty years ago. There is no excuse whatsoever for designing the login page this way."
One plausible excuse is that it aids the users in identifying login issues.
This is similar smtp systems which bounce bad addresses. They reveal information about existing accounts, but there's no denying they serve a useful purpose too.
Regardless of that though there is an important difference between a facebook account and an ssh account. Facebook is intended to be a communications medium. It's necessary to know who else is on to provide a reasonable experience. Users who sign up wanting the fact of their registration to remain private should use a false email account in the first place.
Granted, it's not necessary to reveal other users through the login page, but at some point users have a reasonable expectation to find out whether someone else is registered or not. Therefor, this "hack" doesn't reveal any additional information that wouldn't otherwise be available elsewhere.
Really now this is all a bit exaggerated.
Identification is not authentication!
If you truly believe this principal, then there is no flaw.
If you do not believe this principal, then there are far more serious vulnerabilities to go after; consider SSNs and credit card numbers.
You obviously have no understanding of security.
The *only* safe response is along the lines of 'Permission denied. Please try again.' because using a single, never changing message doesn't give hints about whether the user name, password or both are wrong.
Even better security is when the OS disables that login device after 3 or so failed login attempts and leaves it disabled until it a sysadmin has investigated whether this was an attack or just finger trouble. If you don't like this idea I bet you also think that its a really bad idea for an ATM to swallow your credit card after three failed attempts to enter your PIN.
My my principles are the principal reason I can't
"The *only* safe response is along the lines of 'Permission denied. Please try again."
Of course I understood the argument. The point is, an email address is already public information. Think of all the people who have it: friends, coworkers, employers, banks, recruiters, e-stores, spammers, ISPs, websites, etc. Any one of these could be a wolf in sheep's clothing.
A secure system does not depend on the confidentiality of an email address. If the use of a public email address breaks the security of a website, then the website's security is broken.
Get used to it; an email address can not, never has, never will be considered secure. It would be folly to pretend it is.
"Even better security is when the OS disables that login device after 3 or so failed login attempts and leaves it disabled"
When implemented exactly this way, it's ripe for abuse through denial of service attacks. Consider a large site with millions of active users, a bot could easily go disabling accounts, pissing off legitimate users and admins. A better approach is to throttle the logins so that brute force attacks are impossible. The system can alert the admins and block attacker's ip addresses.
even sites that display 'permission denied' or 'invalid user name or password' then fall into the trap of allowing you to enter an email address for a password reset, which returns either 'that address doesn't exist' or 'we've sent you an email'. So someone wanting to query valid or invalid accounts still have a means to do it.
"Get used to it; an email address can not, never has, never will be considered secure. It would be folly to pretend it is."
I understand the technical truth of your argument, however I cannot stand the idea that spammers basically have free reign to discover my email address because of the error (or insufficient protection) of a third-party website who _says_ that my data is private.
I still prefer the idea of a unique login error message like 'Permission denied. Please try again."
I know the lusers will find that maddeningly uninformative, but those who are consistently told everything they must do will never learn to pay attention anyway.
I don't think you do understand the argument.
I've no idea whether you've got a Facebook account. If you have, I've no idea what your login or password is to Facebook. But I can start trying common variations of your name with Hotmail, Gmail, Yahoo, etc. email addresses and (currently) Facebook will tell me as soon as I've hit an address which is a valid username. Then I "just" need to crack your password (if that email address is you). Most websites rely on a username and a password; two bits of information. As soon as they start giving information from which I can conclude I've got the username right, I'm now down to needing just one piece of information.
Yes sure, not a major gaping hole, but a pointless giving away of information which shouldn't be given away.
Regarding your last paragraph, try reading the OP's comment properly... "disables the **login device** after 3 or so failed login attempts". Not disables the account .
they're shit sites.
I have seen a few forum-type sites which simply say "thank you for your password reset request. If the email address you entered was valid, you will recieve an email soon"
so there's no way to use it to distinguish between true account holders and guesses.
Anyone who uses the term "luser" is a loser.
"The point is, an email address is already public information. Think of all the people who have it: friends, coworkers, employers, banks, recruiters, e-stores, spammers, ISPs, websites, etc. Any one of these could be a wolf in sheep's clothing."
The only entity (person, company, website, whatever) that has the email address I use to log into Facebook *is* Facebook.
An email addy may be 'public information', yes, but...
The fact that the owner of that addy also has a FaceBook page is NOT!
"Yes sure, not a major gaping hole, but a pointless giving away of information which shouldn't be given away."
While the login page does reveal the fact of whether an email has been registered or not, it does not reveal anything not already searchable elsewhere.
For instance, upon registration, facebook will search my webmail account for any "friends" that have been registered in facebook. Knowing that contacts are on facebook is a very practical and desirable feature. Eliminating this feature would make social networking painful to use legitimately.
If you're trying to keep your email address in a bottle, then social networking probably isn't for you. If you're that concerned about people finding you then just setup an alternate email.
The situation is different than if this were a bank website.
Yahoo! email has a similar response. If you type in a valid user ID and an incorrect password, Yahoo! responds with a message that says either the ID or password is incorrect and asks you to try again. On the other hand, if you incorrectly type your user ID, Yahoo comes back and tells you 'This ID is not yet Taken. Are you trying to register a new account?"
The results can also be used to verify a user account.
This is true. There are more than a few websites that behave in this way and they are all in the wrong and they all need to quit this.
The argument that email addresses are public knowledge, so it doesn't matter, is also wrong.
First of all, I sometimes use email addresses on websites that are not public knowledge and not used for anything else.
Secondly, just because the email address is public knowledge does not mean that the every website account that uses it should also be public knowledge.
And thirdly, there are different levels of 'public knowledge'. Yes, you should not rely on security through obscurity. But just because I have shared my email address with friends does not mean I am also happy to share it with a screen-scraping bot operated by spammers & phishers.
Bad for Facebook to FAIL like this, but there are worse out there.
Take for example MBNA Online Banking (https://www.bankcardservices.co.uk/NASApp/NetAccessXX/LoginProcess), who manage many types of credit card. They changed their login from the usual username and password on the front page to separate pages for the name and password. This was done to enhance security, so they say (https://www.bankcardservices.co.uk/NASApp/NetAccessXX/InfoScreen?key=helpLink&helpKey=wherePassword&newSession=true)
"We have changed the way you log on to Online Banking to better safeguard the privacy and security of your personal information. You will now be prompted for your user name and password on 2 different screens. This will help confirm your identity before you enter your password."
If you enter a correct username, you are taken to the password page, which you can exit without making a login attempt. However, enter a random username and you get the following message
"Incorrect user name
Error
There was a problem processing your request. The user name you entered does not match our records. Please re-enter your user name. Please try again."
I did point out to them that this was in fact a worse security system than before, but their only answer was "we lock accounts after 3 incorrect passwords". A letter of complaint got a series of letters saying they were investigating the problem and finally they replied that they had completed their investigation and passed my comments to their security department. Needless to say, I don't have an account with them any more.
... it's enabled me to positively prove that I really did delete my account with them some months ago.
Hypothesis: all the information one needs to design a secure system is readily available online.
But that's just the trouble: it's online, and unless you are an astute Googler, you will miss some of it. Moreover, it's not integrated; it's bits and pieces here and there with nothing explaining how they all fit together.
What the world needs is a book (yes, a book, not a !@# website) that compiles everything known about building secure systems into a single coherent whole, so as to be an Infallible Reference that one can take to bed and browse before lights out.
The simple fact is that lots of systems are designed and built by idiots, and a single point of reference would serve several purposes: providing a source of integrated design criteria; providing a physical object to whomp the idiots over the head with; and providing lawyers with something they could point to and ask "Did you not follow the Big Book's recommendations? And if not, why not?"
I can think of no explanation for systems with glaring design errors like this one and the many others we regularly read reports of, except that the information is far too scattered.
Have you tried going to Amazon and searching for "Building Secure Systems"?
You'd be amazed at the list of books to choose between.
(Some of them may actually be good, too)
https://www.bankcardservices.co.uk
MBNA site. Used to have UN and PW box on one page and changed it to a 2 step process.
So you can keep trying usernames first to get confirmation of ones registered.
I rang them to highlight this and the guy on the phone rather bluntly told me that i was wrong, it was a security 'enhancement' and that no-one there had ever heard of what I was talking about.
would love them to read this story...
I pity anyone with a username of 'PeterSmith' (or similar common variant).
A security enhancement? What fcuking planet are these people on? More's to the point, the developers and project managers should be marched in front of the nearest wall and, ermmm... fired. ;o)
After all, Facebook is NOT aimed at security-minded techies (who would probably rather mock it). For some people it can be instructive to wonder why their password (probably "secret" or somesuch!) doesn't work, and Facebook helpfully replies to check the caps lock. How many of you have done tech support for less geeky friends, the likes of who talk about "the internet" while pointing at that little blue 'e', who don't want Firefox as they don't entirely understand what a "browser" is, and after persuading to try Firefox, don't see the point as "it looks the same". This is Facebook's demographic. For these people, hand-holding is a Good Thing.
.
What would perhaps be more useful is to monitor the IP address and only permit three email address attempts per hour, with a block that if a valid address is hit, that address is sticky and others will not be allowed. For genuine people with multiple accounts, logging in and out resets this. This, I feel, shouldn't inconvenience normal users but ought to make data scraping damned difficult.
then el reg is guilty of it to.
Go to http://account.theregister.co.uk/reminder/ and type in an email address. If its a valid, it will say a reminder has been sent. If its not valid it says:
"That address does not appear to be registered."
Good way to get a list of valid email addresses, then next step is to try and get passwords.
Just an example, facebook isn't the only one who does these type things.
I can see they're finding a lot of flaws.
Why did they never find many for Bebo or Myspace when they were massively popular?
Is FB just badly built up and open to many flaws or is there something else at work here?
It could only be 84% someone elses problem soon.
it is a real PITA when it does have the same message and you don't know which email address you used for that site. It offers no extra security to hide which are valid addresses since they are already purposefully searchable.
..why not display a message stating that there was a problem with either your email address or password to the user and then have the code check the email address against the user database and if it exists email the owner and alert them that the problem was actually the password. That way the legitmate owner of the email address knows if he/she got the password wrong and anybody attempting to guess email addresses still gets no clues.
Good idea. I was trying to reregister Avast as the UI thingy just wasn't going to work. Get around to seeing if I could get my old registration information from their site as I couldn't remember which email address I used a year ago...
...and Avast accepted and said "Thank you" for those that I tried, and then sent out the following message:
"Somebody, hopefully you, filled in the avast! Home Edition license resend form" [blah blah] "We are sorry, but we have no record in our database for the email address provided." [blah.]
A real PITA when Avast doesn't tell you itself and the site gives no clues, but hey... flip side of the coin, they're not letting anything slip.
For the end user, the current FB sign in is actually better than what is recognised as a more secure method, like for example theregister.
An incorrect login attempt at theregister leaves the end user with this unhelpful message
"Your username or password are invalid"
Security concious users will be happy with that, as it leaves no clues for anyone trying to blindly guess account details. However, for the legitimate user, you are left with the dilema and time consuming exercise of trying to figure out which e-mail account you actually used to sign up with, and which password you used for that account - beause the login page is not being helpful with that message. It's treating everybody as the bad guy, and that is wrong.
If the message (like FB) instead stated "Incorrect Password" or "That email address is not registered", then at least the end user has a chance to narrow down where he has gone wrong, and simply try another of his e-mail adresses used for logins.
This is a classic case of the end user (good guys) being penalised or inconvienienced by systems put in place due to the potential actions of spammers/hackers (bad guys). That is bad.
Websites should find ways of protecting their data and users without inconvieniencing them.
CAPTCHA is another PITA, some of those freaking things you just can't read even after several attempts!
Quote: "However, for the legitimate user, you are left with the dilema and time consuming exercise of trying to figure out which e-mail account you actually used to sign up with, and which password you used for that account - beause the login page is not being helpful with that message"
If an inindividual cannot remember which email address was used then that simply demonstrates that said user is at fault. It is not the role of any security aware app to to resolve users, errrr, 'housekeeping' issues. That is for the user.
Quote: "It's treating everybody as the bad guy, and that is wrong."
Simply put, you are wrong! I take it that you are not a developer? I say that because it is that assumption you make that drives - for example - SQL injection vunerabilities. 'Security 101': Treat all input (and all actions) as suspicious.... Anything less and you are asking for problems.
Quote: "This is a classic case of the end user (good guys) being penalised or inconvienienced by systems put in place due to the potential actions of spammers/hackers (bad guys). That is bad."
No. That is good! Ease of convenience for the end user should be a consideration, but should never be the deciding factor, especially where such accomodation would result in degraded security.
Quote: "Websites should find ways of protecting their data and users without inconvieniencing them."
No. Users should bloody well remember their account details. Simple! If they can't they they should expect to be inconvenienced. Of course, lessening user inconvenience - whilst maintaining application security - is a worthy goal.
Quote: "CAPTCHA is another PITA, some of those freaking things you just can't read even after several attempts!"
I agree - in part. Some CAPTCHAS are as good as unreadable. However, that does not mean they should be disregarded.
All I can say - after reading your comments - is that I sincerely hope you are in no way involved with either systems development or security!
Honestly, if I gave a toss about the public/private nature of the email address associated with my Facebook account then I wouldn't have signed up in the first place. There are huge numbers of sites which respond in a manner whereby you could work out whether an email address belonged to a valid user or not - even El Reg offers a password reminder and will tell you if you enter an unregistered email address - thus allowing you to work out which addresses are real.
So if you want to be completely unbiased and fair, the article should also point out that a very similar security flaw exists on the very site you are all posting on.
@ anon, fact check required. I think you'll find El Reg does not tell you which part of the login failed, at least it didn't when I tried to login an hour ago.
Nope. It's definitely not a "classic case of the end user (good guys) being penalised or inconvienienced by systems put in place due to the potential actions of spammers/hackers (bad guys)."
Everyone should take responsibility for their own security. And that should mean, as others have pointed out, the login pages should NOT give the opportunity of second-guessing email addresses or passwords.
If it means writing login details on a Post-it note because the user hasn't enough brain cells to remember then so be it, at least then that user takes responsibility for being a twunt.
What security advise are you reading that states logins should be written on post it notes, that's a far worse security risk than anything else mentioned here.
Last time I checked most sites where security actually matters would advise users not to write their logins down anywhere.
Post it notes, good one!
If you recheck my post (13:18GMT), you will notice that I never claimed the method was identical, but if you deliberately enter an incorrect set of details (on the Reg site) you get the option to send a password reminder - entering an invalid address in this particular screen returns an error stating the address is invalid, whereas entering a valid one does not. That makes it just as exploitable as the FB method, albeit with a slightly different type of script required.
For the record, I don't care about the relative security benefits/drawbacks as I'm not that precious about my "public" details, I'm just pointing out that many many sites, including this one, have exploitable features in their account management systems.
I think its retarded that the login isn't encrypted in the first place. I bet you they log your email addresses password everytime you screw up and enter it on accident instead of your Facebook password. They could probably sell that to an entity for big money. Under the table Im sure. Imagin what could be learned then?
I think this issue is being blown out of proportion. Who cares if a spammer could potentially harvest email addresses from Facebook? Maybe if they were a little smarter they could use a public telephone directory and get some real worth while information!
With this vulnerability you can verify an e-mail address, then do a friendfinder when logged in to get the names and friend names of users with those e-mail addys. Then you can send them an e-mail 'from Farcebook' saying this friend has sent them a message, click here to see the message.............
Yep it matters, more than many above seem to account for.
Sign up, sign up for The Register's weekly IT security newsletter - click here
