79

Does correcting a misspelled username and prompting the user with a valid username introduce a security risk?

I recently tried logging into facebook and misspelled my email. They prompted me with the message below.

Log in as {username}

{email}@gmail.com · Not You?

Please Confirm Password It looks like you entered a slight misspelling of your email or username. We've corrected it for you, but ask that you re-enter your password for added security.

I know usernames aren't really a secret but when a website fixes a misspelling to a correct one, they seem to be taking the 'not a secret' a little too far.

Anders
  • 65,052
  • 24
  • 180
  • 218
GER
  • 865
  • 1
  • 7
  • 9
  • 11
    Allowing checking for existing usernames in the logon functionality is *only* an issue on services where creating an account is *not* public (for example, in case of a intranet logon). When users can sign up, they can check for the availability of usernames using the signup functionality. Having said that, login attempt throttling is still a good idea, but that is another story. – Jacco May 10 '16 at 14:34
  • 2
    @Jacco: Not always, it depends on how sign-up functionality is implemented. [See here](http://security.stackexchange.com/a/47748/8340) for a secure solution that doesn't leave your site vulnerable to user enumeration. However, you are correct. Public sites and hugely popular sites where it can reasonably be determined that a user has an account anyway, user enumeration isn't really a concern. – SilverlightFox May 11 '16 at 09:23
  • @SilverlightFox, interesting intermediate solution. I don't think the usability implication make it workable for most public websites, but for some it could be an option. – Jacco May 11 '16 at 11:20
  • 1
    Related [Facebook password lowercase and uppercase](http://security.stackexchange.com/questions/68013/facebook-password-lowercase-and-uppercase) – MonkeyZeus May 11 '16 at 13:21
  • I'm actually more concerned that it is spell-checking your email address than I would be if it were an arbitrary username. An email address is personally identifiable information: it doesn't just tell you that an account "catsAndDogs42" already exists; it tells you that the owner of that particular email address has an account on the site. If the website were something less savory (and ubiquitous) than Facebook, I wouldn't want it to be publicly discoverable that I have an account, especially with an email like firstname.lastname@example.com. – LiberalArtist May 13 '16 at 06:39
  • This has interesting implications for password complexity requirements - we've long been told that a password like "Liverp001." is much harder to guess than "liverpool", but if the login service automatically does the guessing for you, it may not be as secure as you thought. – Andy Oct 04 '19 at 09:18

3 Answers3

179

As you said, you saw this on facebook - so I tried these steps:

  • Login with lukas@gmail.com and real password -> works
  • Login with lukas@gmail.cmo and real password -> works, too (!)
  • Login with luksa@gmail.com and real password -> also works
  • Login with luksa@mail.com and real password -> also works
  • Login with lukas@gmail.cmo and wrong password -> Wrong password, but email got automatically corrected to the right email
  • Login with lukas@gmail.cmo in a private tab (or a browser with cleared cache & cookies) -> "The email you’ve entered doesn’t match any account"

As the correction only seems to work when I have already successfully logged into FB at this PC, I would say that this is not a vulnerability in facebook.


Edit: Added new test cases; thanks Zymus, simbabque and Micheal Johnson for the suggestions

Lukas
  • 3,158
  • 1
  • 15
  • 20
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/39728/discussion-on-answer-by-lukas-does-correcting-misspelled-usernames-create-a-secu). – Rory Alsop May 13 '16 at 10:32
  • 3
    Consensus from the [archived chat](http://chat.stackexchange.com/rooms/39728/discussion-on-answer-by-lukas-does-correcting-misspelled-usernames-create-a-secu) is that this is a client-side correction based on login cookies. Facebook isn't running a server-side detection algorithm. – Lilienthal May 13 '16 at 12:12
16

Allowing username or email iteration may be a security problem for most sites, but not for Facebook. For sites as large as Facebook, finding emails that have accounts is easy because the sites have so many users. This holds for other huge user databases like Google and Microsoft. These companies just have to be secure in the face of their username/email databases being (sort of) publicly known.

That said, I would be surprised if this was the first time that you were using Facebook with the same browser, computer, or even IP address. It just doesn't make sense for them to complete usernames as any email-looking string is probably close to one or more of their users. I suspect that Facebook had some way of knowing that you were you.

Neil Smithline
  • 14,702
  • 4
  • 38
  • 55
  • 3
    Based on Lukas' answer, your assumption in the 2nd paragraph appears to be correct. – TTT May 10 '16 at 14:21
  • I'm not sure I follow your first paragraph. Why would having a large base of users make "email iteration" less of a security issue? The method they use to determine whether email iteration should be done (e.g. did you log in from this browser or computer before), could also be done by smaller sites, couldn't it? And if so wouldn't it be equally as secure? – TTT May 10 '16 at 14:27
  • 2
    @TTT - It's not that email iteration is less of an issue, it is just that preventing email iteration is basically impossible. For Facebook, any list of personal emails is a pretty good list of Facebook email addresses. While iteration is still a problem, it's not something they can really protect against. So Facebook makes different decisions when weighing user-friendly options v. security to prevent email iteration because they've already lost the email iteration battle. – Neil Smithline May 10 '16 at 14:31
1

Based on the details you've provided here, I would say "Yes, that is a security risk" because it 100% identifies who is registered on the site. I don't know how many times a request can be submitted before a block is placed (CAPTCHA, IP-block, etc) but an attacker could simply "brute-force" a set of usernames and emails to obtain a pretty clear list of who uses the site.

As it is, the system doesn't tell you which you input incorrectly but a script could tell that pretty quickly by just comparing the before with the after.

Worse yet, with a list of usernames and emails, those because target lists for other sites because (I expect) people tend to reuse usernames (as with email addresses).

Looks pretty questionable imho.

Surprised...would think FB would have better sense than that.

jms
  • 21
  • 3
  • 5
    This is Facebook, you can also check if https://www.facebook.com/ exists. I don't see an increased risk here. – Tokk May 10 '16 at 13:53
  • 3
    I guess I see a slight difference because it provides an association of the username with a specific email. Moreover, FB is correcting the username (and email), whereas a failed URL is just a failed URL. – jms May 10 '16 at 13:58
  • 8
    According to other answers, the corrections appear to be based on locally stored cookies – schroeder May 10 '16 at 14:36