META BUG BOUNTY : Is It a Bug or a Feature? Decrypting Meta’s Password Policy !

Published in

iQube

4 min readOct 16, 2023

In the world of cybersecurity, unique ‘features’ often emerge that challenge conventional norms. Meta’s login system presents one such puzzle: an enigmatic ‘feature’ that allows minor password variations while concealing a complex technical mechanism beneath the surface in all of its app products, such as Facebook , Instagram , Messenger and more…

The Puzzle: Unraveling the “Feature”

Meta ’s system welcomes minor password variations. For instance, if your password is “dhanu@ush@,” it won’t flinch at “dhanu@ush@!” or “dhanu@uush@” It’s an intriguing conundrum with technical complexity at its core.

Technical Insights: Behind the Scenes

Password Complexity

While a typical password has 8 characters, Meta’s system plays in a different league. It boasts a vast character set:

10 digits: 0123456789
26 lowercase letters: abcdefghijklmnopqrstuvwxyz
26 uppercase letters: ABCDEFGHIJKLMNOPQRSTUVWXYZ
30 special characters: ~!@#$%^&*_-+=`|(){}[]:;”’,.?/

This impressive ensemble adds up to 92 possibilities. However, Meta’s twist is allowing both lowercase and uppercase letters (92 + 92) at both ends.
For Example:
ddhanu@ush@
Ddhanu@ush@
dhanu@ush@H
dhanu@ush@h
$dhanu@ush@
dhanu@ush@| and more…

Here, there are a total of 184 combinations.

Additionally, it allows repetitive characters to appear consecutively within the middle letters of the password.
For Example:
dhanuu@ush@
dhhanu@ush@
dhanu@ussh@ and more…

In this case, there are 8 combinations.

The real password is counted as 1, which is set by the user. Therefore, the total combination count is 184 + 8 + 1 = 193 combinations!

So, a password like “dhanu@ush@” reveals 193 potential combinations.

It’s important to note that the count may increase or decrease depending on the number of characters in the password, but it is confirmed that it will allow at least 185 combinations. It will not reduce; it will only increase.

POC

I have uploaded the POC full video here; please check it:

https://www.youtube.com/playlist?list=PL_fluW0zxjUO6xbkWrlYmkWhCULWNx0UW

Technical Implications: Balancing Act

Let’s dissect the technical implications:

User Expectations:

Users rely on login systems to provide robust security. When a system accepts numerous password variations, it can inadvertently mislead users into believing that minor changes are sufficient, potentially resulting in weaker passwords.

Security Complexity:

While not a critical risk, this “feature” introduces complexities that depart from conventional security practices. The system’s acceptance of diverse password combinations raises questions about its reliability and adherence to industry-standard security norms.

Minor Variations

This “feature” even accepts minor variations inadvertently introduced by users. It includes cases such as Caps Lock being enabled, auto-capitalization on mobile devices, the tolerance of an extra character at the beginning or end of the password, and permitting two consecutive repetitions of letters within the password.

The Categorization Conundrum

Classifying this behavior is pivotal. Is it genuinely a “feature,” a “bug,” or perhaps a “flawed business logic”?

Business Logic Vulnerability

From a technical angle, it resembles a “Business Logic Vulnerability,” permitting actions users shouldn’t usually perform, potentially jeopardizing system integrity.

Login Bypass?

Some liken it to a “Login Bypass” scenario, as it grants access with incorrect passwords through variations.

Conclusion: Navigating Complexity

In a surprising twist, Meta maintains this is a “feature” and good practice. Yet, the debate continues — is it a feature or a “feature”?

Final Thoughts: Balance and Clarity

While this unique “feature” doesn’t represent a critical security vulnerability, it does raise essential questions about the delicate balance between user-friendliness and security in login systems. It highlights the importance of clearly defining and communicating the nature of such features to users.

In the intricate realm of cybersecurity, we often encounter scenarios where technical nuances blur the line between features and vulnerabilities. Every detail matters.