Facebook bug: adds email without verification

If you don’t like Facebook, here is reinforcement to your thought. And if you like the social media giant, here is one reason to understand why some don’t like it.

Though I am always on a mission to find bugs but this Facebook bug came in as a gift to me from the god of bugs. I do believe that there was a god of bugs in the Greek mythology but they somehow hid it from the masses. Below is the whole story.

For some months, I started receiving Facebook notifications on one of my email accounts which is not registered with it. I thought that it as spam first, phishing later, but as the emails continued and always contained some genuine updates on a Facebook account I started looking deeper.

My first thought was that the email system is messing up and it is mixing up email addresses. I tried various combinations with ‘.’ And other characters but email didn’t reach my test accounts. I started to realize that my email account is registered with Facebook. Next thing was how come my email is used in this way?

I thought Facebook is a great team with a visionary leader , I should better let them know. So I logged into Facebook with a test account and reported the issue. By the way, the fact that you have to be logged in to report a bug is some thing I didn’t like for a big system like Facebook. Any way that was smaller disappointment because bigger disappointment was that no one replied. As if no one cares for the quality.

facebook-bug-300x239

(the original picture is here: http://telegraphng.com/2013/06/facebook-bug-exposes-users-information/ )

Then I sent email to the poor guy whose updates were coming to me. He holds my name with some addition and is a kid in early teens. Not sure if he got scared from my email or could not understand how testers operate, he took no action.

At that moment I had around one hour of testing session with Facebook and it’s email notifications and found out that if you add a secondary email to your account, it gets added without any verification. Here are the steps that I took:

  1. Created a test account with a fake email like abc.xyz@yahoo.com.
  2. Facebook sent a verification email that I used to complete account creation.
  3. In the Accounts settings, I added another fake email like abc.xyz@outlook.com . Facebook sent a verification email to this new account.
  4. I took no action and didn’t follow the instructions in the email. Nor did I clicked the link that this is by mistake.
  5. Guess what happened, within a few hours this email got added to my account.
  6. I took help from a friend and sent him a friend request which he accepted. The notification was sent to both emails.

This is such a big hole in the system that if you do a typo, all your Facebook updates will start flowing to an email. Just like what I think happened to the poor kid I mentioned above. I have started making some noise about this issue and let’s hope that it gets fixed.

Can you try these steps to see the bug yourself? Do you have other Facebook worries to share?

Tags: ,

5 responses to “Facebook bug: adds email without verification”

  1. H Hamid says :

    Nice catch. Facebook cares too much about quality, that’s why there privacy and security glitches make news all the time. You might know this already, but it would be interesting to share that Facebook don’t hire test engineers. They have gone one step farther than Google, by removing domain specific boundary lines between Testers and Developers. At Facebook, everyone codes and tests at the same time. 🙂

    Like

    • majd says :

      Thanks Huma and you mentioned a fantastic point. often, I get to hear that Facebook doesn’t hire testers so why should we? The point that people miss is that testing is becoming a role and every one has to play that role. Some do it Google way, some Facebook way but there is no hiding away from more testing these days.

      Like

  2. Ather Imran says :

    This is useful and at the same time disappointing that facebook doesn’t validate the email addresses. Interesting article, possibly relevant:

    http://readwrite.com/2011/04/28/anyone_can_take_down_facebook_pages_with_a_fake_email_address#awesm=~omoAro9H3o6hrw

    However, this facebook knowledge base page does indicate they do some sort of email validation:

    https://www.facebook.com/help/www/363421160387753

    Like

    • majd says :

      Thanks Ather for the insight.

      Facebook does send an email to verify the secondary email account, but seems it adds it without much verification. I can give some benefit to their algorithm that I used the same firstname.secondname combination for both emails and I was on same device, but still I believe email shouldn’t be added until confirmation is done.

      Like

  3. Sohail says :

    Good Catch..Interesting one..
    It is another news for me that Google and Facebook do not have testing departments….Strange.
    They should attend sessions of KnowledgeTester esp upcoming ones to know how vital testing is..:)

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s