back to article Facebook login page still leaks sensitive info

Facebook's login system continues to spill information that can be helpful to phishers, social engineers and other miscreants attempting to scam the more than 500 million active users of the social networking site. When a legitimate email address is entered along with an incorrect password, the authentication system returns an …

COMMENTS

This topic is closed for new posts.
  1. A handle is required
    FAIL

    No excuse

    There's no excuse to get this fixed immediately. They only have one main login page and a handful of others for cross-site logins; how many changes do they need to make?

  2. Brandon Lockaby

    Not necessary

    It's weird to see you talking of going to all that trouble, because I figured it was common knowledge that you can just enter an email address into Facebook's search box. The Facebook account matching that email address is returned regardless of whether the account holder chose to share the information.

    1. lpopman
      Headmaster

      titular mumblings

      "It's weird to see you talking of going to all that trouble, because I figured it was common knowledge that you can just enter an email address into Facebook's search box."

      Except that you can only do a search if you are logged in.

      This vulnerability can be used to verify email addresses, so would be useful to spammers.

      1. Tom 13

        And a spammer wouldn't have a Facebook account

        he could log into because ... ?

        Hate to say it by the guy has a serious point. There's no security to creating a Facebook account. Spammers could create 1 per hour per bot to validate and skim addresses if they so chose.

  3. Jimmy Floyd
    FAIL

    Quick-fix solution

    I also note that last week's bug is not fixed so much as duct-taped together.

    If you enter an invalid password on a machine where the cookies from the previous session still exists, Facebook will continue to offer up the full name of the account holder.

    It's not as serious as the original bug which displayed such information irrespective of the cookie, but it's still dangerous for those on shared or public computers. It's also completely unnecessary: in what situation would the full name of the user be useful?!

    I also haven't done any research into whether the cookie that decides whether a name is shown might be forged. I'll leave that to the collective wisdom of the El Reg journos and commentards.

  4. Anonymous Coward
    Flame

    Absolute idiots

    Most systems (e.g., ftp and ssh servers) stopped leaking data this way about twenty years ago. There is no excuse whatsoever for designing the login page this way.

    That their 'fix' is to stop displaying names and pictures, rather than changing the underlying behavior, is yet another demonstration that they have no understanding of privacy or security.

    1. Lou Gosselin

      Re: Absolute idiots

      "Most systems (e.g., ftp and ssh servers) stopped leaking data this way about twenty years ago. There is no excuse whatsoever for designing the login page this way."

      One plausible excuse is that it aids the users in identifying login issues.

      This is similar smtp systems which bounce bad addresses. They reveal information about existing accounts, but there's no denying they serve a useful purpose too.

      Regardless of that though there is an important difference between a facebook account and an ssh account. Facebook is intended to be a communications medium. It's necessary to know who else is on to provide a reasonable experience. Users who sign up wanting the fact of their registration to remain private should use a false email account in the first place.

      Granted, it's not necessary to reveal other users through the login page, but at some point users have a reasonable expectation to find out whether someone else is registered or not. Therefor, this "hack" doesn't reveal any additional information that wouldn't otherwise be available elsewhere.

  5. Lou Gosselin

    It's a feature, not a bug

    Really now this is all a bit exaggerated.

    Identification is not authentication!

    If you truly believe this principal, then there is no flaw.

    If you do not believe this principal, then there are far more serious vulnerabilities to go after; consider SSNs and credit card numbers.

    1. Martin Gregorie

      Its neither - its a security flaw

      You obviously have no understanding of security.

      The *only* safe response is along the lines of 'Permission denied. Please try again.' because using a single, never changing message doesn't give hints about whether the user name, password or both are wrong.

      Even better security is when the OS disables that login device after 3 or so failed login attempts and leaves it disabled until it a sysadmin has investigated whether this was an attack or just finger trouble. If you don't like this idea I bet you also think that its a really bad idea for an ATM to swallow your credit card after three failed attempts to enter your PIN.

      1. Lou Gosselin

        Re: You obviously have no understanding of security.

        "The *only* safe response is along the lines of 'Permission denied. Please try again."

        Of course I understood the argument. The point is, an email address is already public information. Think of all the people who have it: friends, coworkers, employers, banks, recruiters, e-stores, spammers, ISPs, websites, etc. Any one of these could be a wolf in sheep's clothing.

        A secure system does not depend on the confidentiality of an email address. If the use of a public email address breaks the security of a website, then the website's security is broken.

        Get used to it; an email address can not, never has, never will be considered secure. It would be folly to pretend it is.

        "Even better security is when the OS disables that login device after 3 or so failed login attempts and leaves it disabled"

        When implemented exactly this way, it's ripe for abuse through denial of service attacks. Consider a large site with millions of active users, a bot could easily go disabling accounts, pissing off legitimate users and admins. A better approach is to throttle the logins so that brute force attacks are impossible. The system can alert the admins and block attacker's ip addresses.

        1. Pascal Monett Silver badge

          Re:Lou Gosselin

          "Get used to it; an email address can not, never has, never will be considered secure. It would be folly to pretend it is."

          I understand the technical truth of your argument, however I cannot stand the idea that spammers basically have free reign to discover my email address because of the error (or insufficient protection) of a third-party website who _says_ that my data is private.

          I still prefer the idea of a unique login error message like 'Permission denied. Please try again."

          I know the lusers will find that maddeningly uninformative, but those who are consistently told everything they must do will never learn to pay attention anyway.

          1. Barracoder
            Flame

            L33ks and tatties

            Anyone who uses the term "luser" is a loser.

        2. Anonymous Coward
          FAIL

          @Lou Gosselin

          I don't think you do understand the argument.

          I've no idea whether you've got a Facebook account. If you have, I've no idea what your login or password is to Facebook. But I can start trying common variations of your name with Hotmail, Gmail, Yahoo, etc. email addresses and (currently) Facebook will tell me as soon as I've hit an address which is a valid username. Then I "just" need to crack your password (if that email address is you). Most websites rely on a username and a password; two bits of information. As soon as they start giving information from which I can conclude I've got the username right, I'm now down to needing just one piece of information.

          Yes sure, not a major gaping hole, but a pointless giving away of information which shouldn't be given away.

          Regarding your last paragraph, try reading the OP's comment properly... "disables the **login device** after 3 or so failed login attempts". Not disables the account .

          1. Lou Gosselin

            @Anonymous Coward, Re: I don't think you do understand the argument.

            "Yes sure, not a major gaping hole, but a pointless giving away of information which shouldn't be given away."

            While the login page does reveal the fact of whether an email has been registered or not, it does not reveal anything not already searchable elsewhere.

            For instance, upon registration, facebook will search my webmail account for any "friends" that have been registered in facebook. Knowing that contacts are on facebook is a very practical and desirable feature. Eliminating this feature would make social networking painful to use legitimately.

            If you're trying to keep your email address in a bottle, then social networking probably isn't for you. If you're that concerned about people finding you then just setup an alternate email.

            The situation is different than if this were a bank website.

        3. VinceH

          Letters, Digits.

          "The point is, an email address is already public information. Think of all the people who have it: friends, coworkers, employers, banks, recruiters, e-stores, spammers, ISPs, websites, etc. Any one of these could be a wolf in sheep's clothing."

          The only entity (person, company, website, whatever) that has the email address I use to log into Facebook *is* Facebook.

        4. Trygve Henriksen
          Unhappy

          Don't be daft.

          An email addy may be 'public information', yes, but...

          The fact that the owner of that addy also has a FaceBook page is NOT!

      2. madferret
        Unhappy

        but...

        even sites that display 'permission denied' or 'invalid user name or password' then fall into the trap of allowing you to enter an email address for a password reset, which returns either 'that address doesn't exist' or 'we've sent you an email'. So someone wanting to query valid or invalid accounts still have a means to do it.

        1. JimmyPage Silver badge

          In that case ...

          they're shit sites.

          I have seen a few forum-type sites which simply say "thank you for your password reset request. If the email address you entered was valid, you will recieve an email soon"

          so there's no way to use it to distinguish between true account holders and guesses.

    2. Anonymous Coward
      Anonymous Coward

      I'd correct you but

      My my principles are the principal reason I can't

  6. cherkoguy

    For What it's worth

    Yahoo! email has a similar response. If you type in a valid user ID and an incorrect password, Yahoo! responds with a message that says either the ID or password is incorrect and asks you to try again. On the other hand, if you incorrectly type your user ID, Yahoo comes back and tells you 'This ID is not yet Taken. Are you trying to register a new account?"

    The results can also be used to verify a user account.

    1. Gav
      Stop

      Not just Yahoo

      This is true. There are more than a few websites that behave in this way and they are all in the wrong and they all need to quit this.

      The argument that email addresses are public knowledge, so it doesn't matter, is also wrong.

      First of all, I sometimes use email addresses on websites that are not public knowledge and not used for anything else.

      Secondly, just because the email address is public knowledge does not mean that the every website account that uses it should also be public knowledge.

      And thirdly, there are different levels of 'public knowledge'. Yes, you should not rely on security through obscurity. But just because I have shared my email address with friends does not mean I am also happy to share it with a screen-scraping bot operated by spammers & phishers.

  7. Dino Saur
    FAIL

    Worse culprits than FB

    Bad for Facebook to FAIL like this, but there are worse out there.

    Take for example MBNA Online Banking (https://www.bankcardservices.co.uk/NASApp/NetAccessXX/LoginProcess), who manage many types of credit card. They changed their login from the usual username and password on the front page to separate pages for the name and password. This was done to enhance security, so they say (https://www.bankcardservices.co.uk/NASApp/NetAccessXX/InfoScreen?key=helpLink&helpKey=wherePassword&newSession=true)

    "We have changed the way you log on to Online Banking to better safeguard the privacy and security of your personal information. You will now be prompted for your user name and password on 2 different screens. This will help confirm your identity before you enter your password."

    If you enter a correct username, you are taken to the password page, which you can exit without making a login attempt. However, enter a random username and you get the following message

    "Incorrect user name

    Error

    There was a problem processing your request. The user name you entered does not match our records. Please re-enter your user name. Please try again."

    I did point out to them that this was in fact a worse security system than before, but their only answer was "we lock accounts after 3 incorrect passwords". A letter of complaint got a series of letters saying they were investigating the problem and finally they replied that they had completed their investigation and passed my comments to their security department. Needless to say, I don't have an account with them any more.

  8. Shadowfirebird

    On the plus side...

    ... it's enabled me to positively prove that I really did delete my account with them some months ago.

  9. RW
    Boffin

    What? Is there no "Big Book of Building Secure Systems"?

    Hypothesis: all the information one needs to design a secure system is readily available online.

    But that's just the trouble: it's online, and unless you are an astute Googler, you will miss some of it. Moreover, it's not integrated; it's bits and pieces here and there with nothing explaining how they all fit together.

    What the world needs is a book (yes, a book, not a !@# website) that compiles everything known about building secure systems into a single coherent whole, so as to be an Infallible Reference that one can take to bed and browse before lights out.

    The simple fact is that lots of systems are designed and built by idiots, and a single point of reference would serve several purposes: providing a source of integrated design criteria; providing a physical object to whomp the idiots over the head with; and providing lawyers with something they could point to and ask "Did you not follow the Big Book's recommendations? And if not, why not?"

    I can think of no explanation for systems with glaring design errors like this one and the many others we regularly read reports of, except that the information is far too scattered.

    1. Trygve Henriksen

      Sure there are...

      Have you tried going to Amazon and searching for "Building Secure Systems"?

      You'd be amazed at the list of books to choose between.

      (Some of them may actually be good, too)

  10. Seanie Ryan
    Grenade

    an even better one

    https://www.bankcardservices.co.uk

    MBNA site. Used to have UN and PW box on one page and changed it to a 2 step process.

    So you can keep trying usernames first to get confirmation of ones registered.

    I rang them to highlight this and the guy on the phone rather bluntly told me that i was wrong, it was a security 'enhancement' and that no-one there had ever heard of what I was talking about.

    would love them to read this story...

    1. Anonymous Coward
      Thumb Up

      Unbeliveable!

      I pity anyone with a username of 'PeterSmith' (or similar common variant).

      A security enhancement? What fcuking planet are these people on? More's to the point, the developers and project managers should be marched in front of the nearest wall and, ermmm... fired. ;o)

  11. heyrick Silver badge

    I don't see this as a terrible thing

    After all, Facebook is NOT aimed at security-minded techies (who would probably rather mock it). For some people it can be instructive to wonder why their password (probably "secret" or somesuch!) doesn't work, and Facebook helpfully replies to check the caps lock. How many of you have done tech support for less geeky friends, the likes of who talk about "the internet" while pointing at that little blue 'e', who don't want Firefox as they don't entirely understand what a "browser" is, and after persuading to try Firefox, don't see the point as "it looks the same". This is Facebook's demographic. For these people, hand-holding is a Good Thing.

    .

    What would perhaps be more useful is to monitor the IP address and only permit three email address attempts per hour, with a block that if a valid address is hit, that address is sticky and others will not be allowed. For genuine people with multiple accounts, logging in and out resets this. This, I feel, shouldn't inconvenience normal users but ought to make data scraping damned difficult.

  12. Darkwolf

    If this is considered a security flaw....

    then el reg is guilty of it to.

    Go to http://account.theregister.co.uk/reminder/ and type in an email address. If its a valid, it will say a reminder has been sent. If its not valid it says:

    "That address does not appear to be registered."

    Good way to get a list of valid email addresses, then next step is to try and get passwords.

    Just an example, facebook isn't the only one who does these type things.

  13. Tigra 07
    IT Angle

    As much as i don't like FB...

    I can see they're finding a lot of flaws.

    Why did they never find many for Bebo or Myspace when they were massively popular?

    Is FB just badly built up and open to many flaws or is there something else at work here?

  14. Dan Breen
    Badgers

    I doubt MZ is worried yet..

    It could only be 84% someone elses problem soon.

  15. Ben Norris

    Actually...

    it is a real PITA when it does have the same message and you don't know which email address you used for that site. It offers no extra security to hide which are valid addresses since they are already purposefully searchable.

  16. Andy 17
    Megaphone

    As a compromise..

    ..why not display a message stating that there was a problem with either your email address or password to the user and then have the code check the email address against the user database and if it exists email the owner and alert them that the problem was actually the password. That way the legitmate owner of the email address knows if he/she got the password wrong and anybody attempting to guess email addresses still gets no clues.

    1. heyrick Silver badge

      @ Andy 17

      Good idea. I was trying to reregister Avast as the UI thingy just wasn't going to work. Get around to seeing if I could get my old registration information from their site as I couldn't remember which email address I used a year ago...

      ...and Avast accepted and said "Thank you" for those that I tried, and then sent out the following message:

      "Somebody, hopefully you, filled in the avast! Home Edition license resend form" [blah blah] "We are sorry, but we have no record in our database for the email address provided." [blah.]

      A real PITA when Avast doesn't tell you itself and the site gives no clues, but hey... flip side of the coin, they're not letting anything slip.

  17. Anonymous Coward
    Anonymous Coward

    Rubbish

    I've tried this and it does not do as reported.

  18. R0CKY

    The insecure way is better for the user.

    For the end user, the current FB sign in is actually better than what is recognised as a more secure method, like for example theregister.

    An incorrect login attempt at theregister leaves the end user with this unhelpful message

    "Your username or password are invalid"

    Security concious users will be happy with that, as it leaves no clues for anyone trying to blindly guess account details. However, for the legitimate user, you are left with the dilema and time consuming exercise of trying to figure out which e-mail account you actually used to sign up with, and which password you used for that account - beause the login page is not being helpful with that message. It's treating everybody as the bad guy, and that is wrong.

    If the message (like FB) instead stated "Incorrect Password" or "That email address is not registered", then at least the end user has a chance to narrow down where he has gone wrong, and simply try another of his e-mail adresses used for logins.

    This is a classic case of the end user (good guys) being penalised or inconvienienced by systems put in place due to the potential actions of spammers/hackers (bad guys). That is bad.

    Websites should find ways of protecting their data and users without inconvieniencing them.

    CAPTCHA is another PITA, some of those freaking things you just can't read even after several attempts!

    1. Anonymous Coward
      WTF?

      @R0CKY

      Quote: "However, for the legitimate user, you are left with the dilema and time consuming exercise of trying to figure out which e-mail account you actually used to sign up with, and which password you used for that account - beause the login page is not being helpful with that message"

      If an inindividual cannot remember which email address was used then that simply demonstrates that said user is at fault. It is not the role of any security aware app to to resolve users, errrr, 'housekeeping' issues. That is for the user.

      Quote: "It's treating everybody as the bad guy, and that is wrong."

      Simply put, you are wrong! I take it that you are not a developer? I say that because it is that assumption you make that drives - for example - SQL injection vunerabilities. 'Security 101': Treat all input (and all actions) as suspicious.... Anything less and you are asking for problems.

      Quote: "This is a classic case of the end user (good guys) being penalised or inconvienienced by systems put in place due to the potential actions of spammers/hackers (bad guys). That is bad."

      No. That is good! Ease of convenience for the end user should be a consideration, but should never be the deciding factor, especially where such accomodation would result in degraded security.

      Quote: "Websites should find ways of protecting their data and users without inconvieniencing them."

      No. Users should bloody well remember their account details. Simple! If they can't they they should expect to be inconvenienced. Of course, lessening user inconvenience - whilst maintaining application security - is a worthy goal.

      Quote: "CAPTCHA is another PITA, some of those freaking things you just can't read even after several attempts!"

      I agree - in part. Some CAPTCHAS are as good as unreadable. However, that does not mean they should be disregarded.

      All I can say - after reading your comments - is that I sincerely hope you are in no way involved with either systems development or security!

  19. Anonymous Coward
    FAIL

    Mountain out of a molehill anyone?

    Honestly, if I gave a toss about the public/private nature of the email address associated with my Facebook account then I wouldn't have signed up in the first place. There are huge numbers of sites which respond in a manner whereby you could work out whether an email address belonged to a valid user or not - even El Reg offers a password reminder and will tell you if you enter an unregistered email address - thus allowing you to work out which addresses are real.

    So if you want to be completely unbiased and fair, the article should also point out that a very similar security flaw exists on the very site you are all posting on.

    1. R0CKY

      Fact Check

      @ anon, fact check required. I think you'll find El Reg does not tell you which part of the login failed, at least it didn't when I tried to login an hour ago.

  20. Ron Eve
    FAIL

    @R0CKY

    Nope. It's definitely not a "classic case of the end user (good guys) being penalised or inconvienienced by systems put in place due to the potential actions of spammers/hackers (bad guys)."

    Everyone should take responsibility for their own security. And that should mean, as others have pointed out, the login pages should NOT give the opportunity of second-guessing email addresses or passwords.

    If it means writing login details on a Post-it note because the user hasn't enough brain cells to remember then so be it, at least then that user takes responsibility for being a twunt.

    1. R0CKY

      post it notes!

      What security advise are you reading that states logins should be written on post it notes, that's a far worse security risk than anything else mentioned here.

      Last time I checked most sites where security actually matters would advise users not to write their logins down anywhere.

      Post it notes, good one!

  21. Anonymous Coward
    Anonymous Coward

    @R0CKY

    If you recheck my post (13:18GMT), you will notice that I never claimed the method was identical, but if you deliberately enter an incorrect set of details (on the Reg site) you get the option to send a password reminder - entering an invalid address in this particular screen returns an error stating the address is invalid, whereas entering a valid one does not. That makes it just as exploitable as the FB method, albeit with a slightly different type of script required.

    For the record, I don't care about the relative security benefits/drawbacks as I'm not that precious about my "public" details, I'm just pointing out that many many sites, including this one, have exploitable features in their account management systems.

  22. screaminfakah
    Jobs Horns

    Huh

    I think its retarded that the login isn't encrypted in the first place. I bet you they log your email addresses password everytime you screw up and enter it on accident instead of your Facebook password. They could probably sell that to an entity for big money. Under the table Im sure. Imagin what could be learned then?

  23. OMGeeek!

    Telephone Directory Leak

    I think this issue is being blown out of proportion. Who cares if a spammer could potentially harvest email addresses from Facebook? Maybe if they were a little smarter they could use a public telephone directory and get some real worth while information!

  24. Beanzy

    Doh!

    With this vulnerability you can verify an e-mail address, then do a friendfinder when logged in to get the names and friend names of users with those e-mail addys. Then you can send them an e-mail 'from Farcebook' saying this friend has sent them a message, click here to see the message.............

    Yep it matters, more than many above seem to account for.

This topic is closed for new posts.

Other stories you might like