Facebook has changed the way its password reset tool works so that it does not easily verify e-mail addresses to potential spammers, after CNET News contacted it with concerns from an Israeli security expert.
On a separate matter, the company also has asked the maker of the Photo Stalker Facebook app to make it clear that despite the name, the app conforms to Facebook's privacy guidelines.
First off, Facebook is making it harder for spammers to mine the site for valid e-mail addresses.
"Last night, we took steps to make sure that our password reset tool is not confirming e-mail addresses," Facebook spokesman Barry Schnitt wrote in an e-mail on Thursday. "Specifically, we now give users the same message whether or not we recognize the e-mail address, and we are adding random amounts of time to the response to ensure that measuring the time isn't an indication of anything."
Previously, when people typed in a legitimate e-mail address on Facebook's password reset page they got a message either saying that their password had been reset or that an e-mail with instructions on how to reset the password had been sent to their e-mail account, thus providing verification that the e-mail address is legitimate. When a fake e-mail address was typed in they got a message that said "Unregistered Email. The email address you entered has not been registered."
Now, every password typed in gets the same message: "Your password has been reset. An e-mail has been sent to all contact e-mails associated with your account, including (the one typed in)."
Under the old system, an attacker could easily have built a script to generate random e-mail addresses and test them via the reset page, said Shlomi Narkolayev, an independent security consultant based in Israel. "Someone could make a lot of money by selling the list or using it to spam people directly."
He suggested that Facebook offer a generic message for all password reset attempts so as to throw spammers off the trail of legitimate e-mail addresses.
Facebook initially dismissed the concern when contacted on Tuesday. To get a third opinion, I then consulted with Web security expert Jeremiah Grossman, chief technology officer of WhiteHat Security.
"Yes. Facebook's Web site behavior is a common practice, but that doesn't necessarily mean it's a good thing," Grossman wrote in an e-mail. However, even displaying a generic password reset message could end up revealing whether an e-mail address is legitimate or not, he said. That's because the system takes the same time to respond to legitimate e-mail addresses and a different amount of time to respond to bogus ones when it doesn't immediately find them in the database, he said.
"The real lesson here is that Web sites should not use e-mail addresses for usernames," Grossman said.
Well, Facebook came up with a compromise, changing the confirmation message users see.
Facebook, however, didn't make any changes to address an additional concern Narkolayev had with the site's login page. He had complained that an attacker could use a brute force attack on the login page to guess passwords using a program designed to try a large number of options in a systematic way.
To prevent such attacks, Facebook should require people to type in Captchas with each login and password reset attempt, Narkolayev said.
To that point, Schnitt said Facebook blocks accounts if someone tries too many incorrect passwords and that users would find it "unwieldy" to have to fill in a Captcha every time they mistyped a wrong password or e-mail address.
Narkolayev said he was able to try wrong passwords 50 times before being blocked. He suggested the site present a Captcha after four attempts and block the account after seven attempts so "the user will not 'suffer from the Captcha' and the system will be safe from brute force and dictionary attack."
Because of its popularity, Facebook gets more scrutiny for privacy and security than other Web sites and services (you can call it the Windows curse), even when it's following common practice or doing more than other sites are doing. The intense attention is merited because of the millions of people who use the site, many of whom may not understand the privacy risks they put themselves at in their quest to interface with friends on the site.
Take, for instance, the Facebook app called "Photo Stalker." It lets anyone see any Facebook user's public photos, even when they are not friends, just by typing in a name, friend ID, or user ID in a search box. (Thanks to Byron Ng for bringing it to the attention of CNET News.)
While the app does not violate Facebook's privacy guidelines, I'm sure it would still shock many people on Facebook to learn that photos they thought were visible only to friends in their network can so easily be seen by complete strangers.
After being contacted by CNET News about Photo Stalker, Facebook asked the developer of the app, Josh Carcione, to change the name to something less provocative. So far, he hasn't done so. But he did add this message to the app profile page:
"This application does not circumvent Facebook privacy settings to deliver these photos. You can edit the privacy settings on your own photos so that they are not visible to everyone on Facebook, including through this application."
So, you might want to double-check and manually set any photos to "private" that you don't want to be viewable by anyone on Facebook.