monsters vs aliens

Facebook has changed the way its password reset tool works so that it does not easily verify e-mail addresses to potential spammers, after CNET News contacted it with concerns from an Israeli security expert.

On a separate matter, the company also has asked the maker of the Photo Stalker Facebook app to make it clear that despite the name, the app conforms to Facebook's privacy guidelines.

monsters vs aliens

This is the new message Facebook displays when people reset their passwords.

(Credit: Facebook)

First off, Facebook is making it harder for spammers to mine the site for valid e-mail addresses.

"Last night, we took steps to make sure that our password reset tool is not confirming e-mail addresses," Facebook spokesman Barry Schnitt wrote in an e-mail on Thursday. "Specifically, we now give users the same message whether or not we recognize the e-mail address, and we are adding random amounts of time to the response to ensure that measuring the time isn't an indication of anything."

Previously, when people typed in a legitimate e-mail address on Facebook's password reset page they got a message either saying that their password had been reset or that an e-mail with instructions on how to reset the password had been sent to their e-mail account, thus providing verification that the e-mail address is legitimate. When a fake e-mail address was typed in they got a message that said "Unregistered Email. The email address you entered has not been registered."

Now, every password typed in gets the same message: "Your password has been reset. An e-mail has been sent to all contact e-mails associated with your account, including (the one typed in)."

Under the old system, an attacker could easily have built a script to generate random e-mail addresses and test them via the reset page, said Shlomi Narkolayev, an independent security consultant based in Israel. "Someone could make a lot of money by selling the list or using it to spam people directly."

He suggested that Facebook offer a generic message for all password reset attempts so as to throw spammers off the trail of legitimate e-mail addresses.
monsters vs aliens
Facebook initially dismissed the concern when contacted on Tuesday. To get a third opinion, I then consulted with Web security expert Jeremiah Grossman, chief technology officer of WhiteHat Security.

"Yes. Facebook's Web site behavior is a common practice, but that doesn't necessarily mean it's a good thing," Grossman wrote in an e-mail. However, even displaying a generic password reset message could end up revealing whether an e-mail address is legitimate or not, he said. That's because the system takes the same time to respond to legitimate e-mail addresses and a different amount of time to respond to bogus ones when it doesn't immediately find them in the database, he said.

"The real lesson here is that Web sites should not use e-mail addresses for usernames," Grossman said.

Well, Facebook came up with a compromise, changing the confirmation message users see.

Facebook, however, didn't make any changes to address an additional concern Narkolayev had with the site's login page. He had complained that an attacker could use a brute force attack on the login page to guess passwords using a program designed to try a large number of options in a systematic way.

To prevent such attacks, Facebook should require people to type in Captchas with each login and password reset attempt, Narkolayev said.

To that point, Schnitt said Facebook blocks accounts if someone tries too many incorrect passwords and that users would find it "unwieldy" to have to fill in a Captcha every time they mistyped a wrong password or e-mail address.

Narkolayev said he was able to try wrong passwords 50 times before being blocked. He suggested the site present a Captcha after four attempts and block the account after seven attempts so "the user will not 'suffer from the Captcha' and the system will be safe from brute force and dictionary attack."