Facebook Old Password vs Incorrect Password

By December 26, 2011InfoSec

So, I went to log into Facebook today, but typed in an incorrect password. Well, actually it was an old password. Facebook, in all its infinite wisdom, stated this – “Sorry! You entered an old password” as well as informed me when I last changed my password (click the image below to see the full-size version):

Now, when you enter a totally wrong/incorrect password, you get “Please re-enter your password” “The password you entered is not correct” (again, click the image below to see the full-size version):

Does anyone else see an issue with this? I know I do. Knowing human nature, people reuse passwords. So, now, from one single page, you have my email account AND knowledge of a password I’ve previously used. While the password may not work for Facebook, it probably would work somewhere else. The first place I would think to test it? Your email account. And what happens if I get access to your email account? Well, how do people usually get password resets? Ah, email! Bingo! 🙂 So now I’ve got access to other accounts… and on and on and on.

It wouldn’t be too hard to automate testing Facebook passwords using a tool like Burp Intruder (http://portswigger.net/burp/intruder.html). Judging on the response sizes, you could determine whether A) You found a totally incorrect password B) You’ve found an old password, or C) You’ve successfully logged in/gained access to the FB account.

Now, this does not take into account any other protection mechanisms that Facebook might have in place, such as locking out an account after a series of invalid logon attempts, login approvals, etc.

Oh Facebook, you fail again…

2 Comments

Leave a Reply