Skip to content

Facebook – A bug and my investigation

Security check – For those who do not know why this is done: The image in which you see some words and you are asked to type those for security check is known as “Captcha”. This check is done to confirm if you are a genuine end-user who is a human because humans can recognize characters and the bots cannot. Some programmers write bots to go and register automatically and do spam bombing. And captcha makes it difficult [ Remember, I am saying difficult and not impossible ] for the bots to by-pass it.

Today, I am going to show you some cool bug in the Security Check of Facebook. I used Security heuristic and Inconsistency within the application oracle in finding this security bug.

How did I proceed?

I started with registration form and after filling all mandatory fields; I was taken to next step where Security Check was being done. Please look into below image to see what I got after registering in first step.

Let us look at the claims,

“Enter both words below, separated by a space”

My tests to test the claims of Security Check of Facebook

  1. Enter first word and click on “Sign Up”
  2. Enter second word and click on “Sign Up”
  3. Enter first and second word without space and click on “Sign Up”
  4. Enter second word and first word [ Second word as first word and first as second ]

Result: I ran all the 4 tests and all the tests passed.

What most of the testers might think at this point?

If the same captcha is being used in Facebook in different modules then they tend to think that captcha works proper which is wrong. I used “Inconsistency within the same module within the application” oracle and found a cool bug which will bring down the security level of Security Check of Facebook.

Where is the bug?

I wanted to deactivate my account, so I navigated to “Account Settings” page.

Then, I scrolled down to the last option which was for de-activating the account. Then I chose an option to deactivate and then I was asked to enter password which is good. I entered my password and submitted it. The next step is where I found a security bug in the Security Check captcha.


You might be interested to know what happened in this Security Check captcha. Few things most / some of the testers might assume,

–          Facebook is using same captcha all over the Facebook – Might be right / wrong

–          Some / most of them might tend to enter both words and “Submit” and they see it works – Based on the test which they might have done in Security Check captcha during registration

–          Some of them might see that it is using same API and assume there won’t be a bug

There might be other assumptions as well which you might think of.

What happened in this Security Check capthca?

I entered both words without a space – It accepted without any error message and account got de-activated – Claim Failed

Reporting might change if I wouldn’t have done investigation

My summary of bug would have been “Entering both words without space passes the security check”. But, I do investigation where it is required so I started my investigation.

My Investigation

Case 1: I entered first word of the captcha and clicked on “Submit” – Account got de-activated! Wow!

Case 2: I entered only second word and clicked on “Submit” – Account got de-activated! Cool!

In this Security Check captcha it just needs only one right word from two words.

Risk Analysis

If an attacker sees this vulnerability then he / she might be happy that the security level is down to some level now so that he / she sees that efforts in by-passing the captcha by programming the bots has reduced.

Now, you see that my reporting would have been wrong if I had not done investigation. Bug might think of fooling those testers who do not do investigation and report it in a wrong way so that the bug can live its life happily.

Message to Facebook:

I hope that Facebook fixes the Security Check issue as soon as possible before an attacker might exploit this vulnerability and cause problems to Facebook end-users and Facebook.

Message to Testers:

Investigation skill is very important for a tester. If you are not doing it then start practicing it.

Thanks for your time in reading this blog post.

Follow Me

SanthoshTuppad

Software Tester, Product Innovator, Security Enthusiast at Test Insane Software Testing Services
I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.
Follow Me

Latest posts by SanthoshTuppad (see all)

Share/Bookmark

18 Comments

  1. Sonal wrote:

    Hey this is really cool one. Too good investigation :)

    Wednesday, October 27, 2010 at 4:01 am | Permalink
  2. Kiran wrote:

    How about posting a video bug report so that we can see it in action as well …

    Wednesday, October 27, 2010 at 9:47 pm | Permalink
  3. There are rumors or actual official fact that big companies use captcha to actually translate books. Now I don´t know how this actually works, but they use apparently some words from books (images of text) and put also a generated word.
    The user doesn´t know which one is from a book and which is generated so it enters both.
    Usually one of the words will unlock it.

    Thursday, October 28, 2010 at 5:14 am | Permalink
  4. >> There are rumors or actual official fact that big companies use captcha to actually translate books. Now I don´t know how this actually works, but they use apparently some words from books (images of text) and put also a generated word.
    The user doesn´t know which one is from a book and which is generated so it enters both.
    Usually one of the words will unlock it. < Claim Failed
    – I disagree with your “Usually one of the words will unlock it” statement because, I have seen it happening always consistently that one of the word is always being accepted and the account is being de-activated

    Thanks!

    Thursday, October 28, 2010 at 5:29 am | Permalink
  5. Hiral Rochani wrote:

    Hi ,

    I agree with Eusebiu Blindu but not sure this might help with facebook account de-activation ..

    http://www.google.com/recaptcha/learnmore

    Hiral

    Thursday, October 28, 2010 at 6:08 am | Permalink
  6. Teemu Vesala wrote:

    At least google and ReCaptcha are using “we don’t know this word”-yet words in their Captcha’s. But at the same time they are recycling so huge number of IP’s, that they can make also risk estimation for the IP-address. If same ip is doing plenty of captcha resolves and part of them failed, they can harden captcha for those IP-addresses as much as they like. So IMHO those “submit what ever you like words” are not reducing the reliability of Captcha even if 10% of words are such that anything can be submitted for them. (And lately there has been reports about captcha texts which has contained characters which user cannot type…)

    The differences between registration and disabling captchas are pointing one major risk for code maintainability. There is same kind of functionality, but codebase clearly differs. That is not good in any case. As the QA I’d have to mention that if I noticed it. And devs should realise the risk and put it to “must fix”-list.

    Great finding!

    Thursday, October 28, 2010 at 8:46 am | Permalink
  7. The problem is that captcha is not useful here at all. They needed to put it in a loop with the password request.
    Because a robot normally can hardly recognize an image. Even if it does a good job there are chances to fail.
    If you had to validate password and captcha by a single try in a loop, a robot cracker could enter the correct password but could have failed the image recognition. That would have much better than like now: validate the password by multiple tries then you have the screen with captcha.
    And if one or two words need to be validated doesn’t matter.

    Thursday, October 28, 2010 at 12:14 pm | Permalink
  8. @Teemu Vesala, Thanks for your comment and I hope Facebook would put it to “must fix” list.

    Friday, October 29, 2010 at 2:48 am | Permalink
  9. Madhuri wrote:

    Hi Santosh,

    Can you please take a topic of RTM(Requirements Traceability Matrix) and cover it according to your perspective?

    Monday, November 1, 2010 at 8:16 am | Permalink
  10. @Eusebiu Blindu,

    You did not understand the context. I hope the chat conversation helped you understand the context.

    >> Because a robot normally can hardly recognize an image. Even if it does a good job there are chances to fail. <> If you had to validate password and captcha by a single try in a loop, a robot cracker could enter the correct password but could have failed the image recognition. <> That would have much better than like now: validate the password by multiple tries then you have the screen with captcha.
    And if one or two words need to be validated doesn’t matter. <<

    I disagree. How do you know that? A bot might crack the password and one word captcha for the first time itself. Now, having 2 words which is of different combination at every instance might make this difficult for an attacker.

    NOTE : You might want to take a look at comment by Teemu Vesala.

    Thanks!

    Tuesday, November 2, 2010 at 12:31 am | Permalink
  11. @Madhuri,

    What is a big deal in doing it? Requirements have met = Requirement Traceability Matrix. Now, what is exactly that you are looking for?

    My answer is, have a checklist of requirements and mark them if they have been implemented. That’s all.

    Thanks,
    Santhosh Shivanand Tuppad

    Tuesday, November 2, 2010 at 12:38 am | Permalink
  12. Nikhil wrote:

    Sanoth,
    I always thought about this. Observed that only one of the Words or letters in Captcha works. Well, started testing Facebook Two months ago. Started only with curiousness.Presently, am in middle of an interesting investigation i should say. Will share more when i complete the thing. I have to say FB looks dull from a testers point of view. But majorly with Security. Silly Fb bug
    http://dl.dropbox.com/u/14905173/1.jpg

    Friday, November 12, 2010 at 4:48 am | Permalink
  13. Nikhil wrote:

    Sry Name *Santosh

    Friday, November 12, 2010 at 4:49 am | Permalink
  14. Nikhil wrote:

    Santosh,
    From my above post i say
    “I have to say FB looks dull from a testers point of view.”
    Dull in a sense i looks bad

    Friday, November 12, 2010 at 4:50 am | Permalink
  15. Nikhil R wrote:

    I had always thought that recaptha works even if a single word mathes but never tried to break head over it.
    Now i am not surprised to see this on fb as fb has always looked dull when you keep an eye on it as a tester.
    Have been testing fb for a couple of months now, into an investigation on its basic feature and boy i really cant believe some silly things fb has. Will share more when i am done

    THanks
    NIkhil

    via Sony xperia

    Saturday, November 13, 2010 at 3:00 am | Permalink
  16. @Nikhil, Thanks for your comments. I would be glad to hear your experience about your investigation when you are done.

    Sunday, November 14, 2010 at 10:49 am | Permalink
  17. The initiator of the problem is actually reCaptcha, we know. If you have used reCaptcha ever, you provably have noticed that there is nothing to do with this. The validation is not in your end, it is done by reCaptcha. So when you are using reCaptcha it is assumed that you have read these lines from their site:

    “Each new word that cannot be read correctly by OCR is given to a user in conjunction with another word for which the answer is already known. The user is then asked to read both words. If they solve the one for which the answer is known, the system assumes their answer is correct for the new one. The system then gives the new image to a number of other people to determine, with higher confidence, whether the original answer was correct.”

    However, if hacker can write a bot to bypass CAPTCHA like reCAPTCHA for a single word then that will work for double words, triple words and so on.

    Sunday, December 19, 2010 at 8:29 am | Permalink
  18. @Monirul Islam,

    Thanks for your comment.

    You are absolutely right about this problem is in reCaptcha.Facebook shouldn’t be waiting them to fix it. May be for reCaptcha it is as-designed. But, my opinion is keeping Facebook security in mind, Facebook should be using better captcha.

    Sunday, December 19, 2010 at 9:43 am | Permalink

One Trackback/Pingback

  1. […] This post was mentioned on Twitter by Santhosh Tuppad, Santhosh Tuppad. Santhosh Tuppad said: Facebook – A bug and my investigation http://bit.ly/9uYvS4 #softwaretesting […]

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*