Facebook bug: adds email without verification
If you don’t like Facebook, here is reinforcement to your thought. And if you like the social media giant, here is one reason to understand why some don’t like it.
Though I am always on a mission to find bugs but this Facebook bug came in as a gift to me from the god of bugs. I do believe that there was a god of bugs in the Greek mythology but they somehow hid it from the masses. Below is the whole story.
For some months, I started receiving Facebook notifications on one of my email accounts which is not registered with it. I thought that it as spam first, phishing later, but as the emails continued and always contained some genuine updates on a Facebook account I started looking deeper.
My first thought was that the email system is messing up and it is mixing up email addresses. I tried various combinations with ‘.’ And other characters but email didn’t reach my test accounts. I started to realize that my email account is registered with Facebook. Next thing was how come my email is used in this way?
I thought Facebook is a great team with a visionary leader , I should better let them know. So I logged into Facebook with a test account and reported the issue. By the way, the fact that you have to be logged in to report a bug is some thing I didn’t like for a big system like Facebook. Any way that was smaller disappointment because bigger disappointment was that no one replied. As if no one cares for the quality.
(the original picture is here: http://telegraphng.com/2013/06/facebook-bug-exposes-users-information/ )
Then I sent email to the poor guy whose updates were coming to me. He holds my name with some addition and is a kid in early teens. Not sure if he got scared from my email or could not understand how testers operate, he took no action.
At that moment I had around one hour of testing session with Facebook and it’s email notifications and found out that if you add a secondary email to your account, it gets added without any verification. Here are the steps that I took:
- Created a test account with a fake email like email@example.com.
- Facebook sent a verification email that I used to complete account creation.
- In the Accounts settings, I added another fake email like firstname.lastname@example.org . Facebook sent a verification email to this new account.
- I took no action and didn’t follow the instructions in the email. Nor did I clicked the link that this is by mistake.
- Guess what happened, within a few hours this email got added to my account.
- I took help from a friend and sent him a friend request which he accepted. The notification was sent to both emails.
This is such a big hole in the system that if you do a typo, all your Facebook updates will start flowing to an email. Just like what I think happened to the poor kid I mentioned above. I have started making some noise about this issue and let’s hope that it gets fixed.
Can you try these steps to see the bug yourself? Do you have other Facebook worries to share?