Noah's Randomness

So, I went to log into Facebook today, but typed in an incorrect password. Well, actually it was an old password. Facebook, in all its infinite wisdom, stated this – “Sorry! You entered an old password” as well as informed me when I last changed my password (click the image below to see the full-size version):

Now, when you enter a totally wrong/incorrect password, you get “Please re-enter your password” “The password you entered is not correct” (again, click the image below to see the full-size version):

Does anyone else see an issue with this? I know I do. Knowing human nature, people reuse passwords. So, now, from one single page, you have my email account AND knowledge of a password I’ve previously used. While the password may not work for Facebook, it probably would work somewhere else. The first place I would think to test it? Your email account. And what happens if I get access to your email account? Well, how do people usually get password resets? Ah, email! Bingo! So now I’ve got access to other accounts… and on and on and on.

It wouldn’t be too hard to automate testing Facebook passwords using a tool like Burp Intruder (http://portswigger.net/burp/intruder.html). Judging on the response sizes, you could determine whether A) You found a totally incorrect password B) You’ve found an old password, or C) You’ve successfully logged in/gained access to the FB account.

Now, this does not take into account any other protection mechanisms that Facebook might have in place, such as locking out an account after a series of invalid logon attempts, login approvals, etc.

Oh Facebook, you fail again…