Sometimes in the race of enhancing the user experience, we might fall short of security and privacy.
Today I reinstalled Facebook, after a long break from it. On login screen entered my email and password.
dammn! by mistake entered my work email, corrected it, and logged in. 47 notifications, 23 messages, and some friend requests. While browsing my feed something struck my mind and I logged out quickly, was back on the login screen.
Let’s assume my Facebook registered email is savewater@earth.com, this time I intentionally mistyped it to savewatet@earth.com keeping my password the same and clicked the log in button.
Bang bang, Zuckerberg let me logged in to my account.
I had no clue how and why anything like this could happen, I repeated the above steps but always ended up getting logged in.
Now i tried to take it to another level, yes! we are thinking exactly the same, PASSWORD.
Assume my actual password is “wearamask” without quotes, this time keeping my email correct I mistyped my password to “Wearamask”. Everybody knows Facebook passwords are case sensitive so by the rules i must not be able to log in but I did. I was logged in even after entering a wrong password, wow!
I tried these steps on various devices, even the first time used for login, different browsers but every time i was logged in.
According to me, this is not a bug. Facebook knows this and doing this on the purpose of easing the login for its users. They simply check the entered details with their hashed database values if matches you are logged in but if it doesn’t they run some checks on them and find their mistyped alternatives like CAPSLOCK on or nearest key mistyped, then if they found a match in those, you are allowed to log in.
https://drive.google.com/file/d/1QHwmBpek6yvSpjPOq6mRD5WkjKmfQvJD/view?usp=drivesdk
BUT why? I don’t see any UX enhancement here on the cost of security and privacy. Let me know in the comments what you think about this, are you concerned or you liked this “enhanced” UX Facebook is offering.
To do this at your end :
- try “gamil.com” instead of “gmail.com” in your email address while logging into Facebook, if you have a Gmail id for the same. Type the correct password, you will be logged in easily!
- Try to make minor, one or two key mistype in password keeping email the correct one without errors.
- Do not mistype in password and email simultaneously.
Thanks for reading ☺ if you enjoyed, give it a clap!
Edit1: Some people responded to me and it seems they had researched more than me on the same. Do check out these links if you like to go deep ;)
https://news.ycombinator.com/item?id=13426544
http://www.arijuels.com/wp-content/uploads/2016/07/CAAJ16.pdf
