Security check – For those who do not know why this is done: The image in which you see some words and you are asked to type those for security check is known as “Captcha”. This check is done to confirm if you are a genuine end-user who is a human because humans can recognize characters and the bots cannot. Some programmers write bots to go and register automatically and do spam bombing. And captcha makes it difficult [ Remember, I am saying difficult and not impossible ] for the bots to by-pass it.
Today, I am going to show you some cool bug in the Security Check of Facebook. I used Security heuristic and Inconsistency within the application oracle in finding this security bug.
How did I proceed?
I started with registration form and after filling all mandatory fields; I was taken to next step where Security Check was being done. Please look into below image to see what I got after registering in first step.
Let us look at the claims,
“Enter both words below, separated by a space”
My tests to test the claims of Security Check of Facebook
- Enter first word and click on “Sign Up”
- Enter second word and click on “Sign Up”
- Enter first and second word without space and click on “Sign Up”
- Enter second word and first word [ Second word as first word and first as second ]
Result: I ran all the 4 tests and all the tests passed.
What most of the testers might think at this point?
If the same captcha is being used in Facebook in different modules then they tend to think that captcha works proper which is wrong. I used “Inconsistency within the same module within the application” oracle and found a cool bug which will bring down the security level of Security Check of Facebook.
Where is the bug?
I wanted to deactivate my account, so I navigated to “Account Settings” page.
Then, I scrolled down to the last option which was for de-activating the account. Then I chose an option to deactivate and then I was asked to enter password which is good. I entered my password and submitted it. The next step is where I found a security bug in the Security Check captcha.
You might be interested to know what happened in this Security Check captcha. Few things most / some of the testers might assume,
– Facebook is using same captcha all over the Facebook – Might be right / wrong
– Some / most of them might tend to enter both words and “Submit” and they see it works – Based on the test which they might have done in Security Check captcha during registration
– Some of them might see that it is using same API and assume there won’t be a bug
There might be other assumptions as well which you might think of.
What happened in this Security Check capthca?
I entered both words without a space – It accepted without any error message and account got de-activated – Claim Failed
Reporting might change if I wouldn’t have done investigation
My summary of bug would have been “Entering both words without space passes the security check”. But, I do investigation where it is required so I started my investigation.
Case 1: I entered first word of the captcha and clicked on “Submit” – Account got de-activated! Wow!
Case 2: I entered only second word and clicked on “Submit” – Account got de-activated! Cool!
In this Security Check captcha it just needs only one right word from two words.
If an attacker sees this vulnerability then he / she might be happy that the security level is down to some level now so that he / she sees that efforts in by-passing the captcha by programming the bots has reduced.
Now, you see that my reporting would have been wrong if I had not done investigation. Bug might think of fooling those testers who do not do investigation and report it in a wrong way so that the bug can live its life happily.
Message to Facebook:
I hope that Facebook fixes the Security Check issue as soon as possible before an attacker might exploit this vulnerability and cause problems to Facebook end-users and Facebook.
Message to Testers:
Investigation skill is very important for a tester. If you are not doing it then start practicing it.
Thanks for your time in reading this blog post.
My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.
Latest posts by SanthoshTuppad (see all)
- Mobile App Testing at Test Insane Software Testing Services - September 3, 2014
- Why OCD sucks for me/entrepreneur/anyone? - August 18, 2014
- DIY: SMART TIPS TO TEST! - July 1, 2014