Complete, Concrete, Concise

Practical information without the bloat

Security Weakness in FaceBook Login

Yes, this is posted on April 1st and, no, it is not a April Fool’s joke – except, I hope, on FaceBook’s part, otherwise it represents a serious security weakness in their login protocol.

As I logged into FaceBook today, I noticed (too late) that I had caps lock on and expected to be redirected to the Login error / retry page:

Instead, I found myself logged in as normal.

After playing around with it a little bit, I discovered that if you invert the upper case and lower case letters it will still let you log in.

For example, if your password is MySecretPassword and you enter mYsECRETpASSWORD instead, it will still let you log in.

It turns out I am not the first to notice this. Emil Protalinski noticed this back in September 2011 and, according to his article, this is done by design and there are three different forms of your password FB will recognize:

  1. Your original password.
  2. Your original password with the first letter capitalized. This is only for mobile devices, which sometimes capitalize the first character of a word.
  3. Your original password with the case reversed, for those with a caps lock key on.

I am not comfortable with this because it seriously weakens the password because it reduces the number of unique letter combinations by at least half.

Assume passwords can only be two characters long and must be composed of only the following characters a, b, A, B. Then the total number of unique passwords is 16:

  1. aa
  2. aA
  3. Aa
  4. AA
  5. ab
  6. aB
  7. Ab
  8. AB
  9. ba
  10. bA
  11. Ba
  12. BA
  13. bb
  14. bB
  15. Bb
  16. BB

With FaceBook’s password permissiveness, this is reduced to 8 by simply accepting case reversal:

  1. aa is the same as AA
  2. aA is the same as Aa
  3. ab is the same as BA
  4. aB is the same as Ab
  5. ba is the same as BA
  6. bA is the same as Ba
  7. bb is the same as BB
  8. bB is the same as Bb
%d bloggers like this: