Tim says he’s pinpointed a flaw in Facebook’s security system that blocks users and computers from Facebook accounts — while also locking the accounts — if they are hit with too many failed logins or too many successful logins in too short of a time period. Facebook got back to Tim and says it’s aware of the issue and is working on a fix but doesn’t yet know when it will come.
Tim writes:
A couple weeks ago I started having problems logging into Facebook. After emailing Facebook and not initially receiving a response I decided to troubleshoot myself. It turns out if you login a bunch of times within a short period of time (I don’t stay logged in) or if you login incorrectly one too many times Facebook not only locks your account but blocks your IP address. In my case they blocked an entire class c range of IPs. Some friends of mine are able to reproduce the issue. When I figured this out I sent a detailed email to Facebook and this is the response I received…Hi Timothy,
We are aware of the problem that you described and apologize for the inconvenience. Unfortunately, we do not have a specific date for when this issue will be resolved but hope to fix it as soon as possible. We appreciate your patience.
Thanks for contacting Facebook,
Carl
User Operations
If you’ve been Faceblocked due to this issue, tell us about it.
More From Consumerist
-
Seamless Apple TV/Netflix Integration Comes With A Catch
-
Perhaps The 8th And 9th Replacement Phones We Send You Won’t Be Defective
-
Comcast CSR Provides Perspective On Why People Hate The Company
-
You'll Soon No Longer Be Able To Sell Your Magic Spells & Potions On eBay
-
Flixster Gives Me Free Movie I Find Offensive, Provides No Way To Delete It
What, you wanted another reason not to use Facebook?
You’re right, potential hackers should be allowed unlimited attempts at guessing our passwords.
The difference is that companies with similar policies have the ability to unlock accounts if the user calls or e-mails in with the right information.
Facebook has next to no customer service, so if they create a problem, they will usually never fix it unless it becomes a serious issue affecting almost everyone or if the solution fits their agenda.
I don’t see it specifically mentioned in the article but is the account locked temporarily or permanently? I assumed that it was temporarily since other sites do this as well.
Its an odd thing they have going on. My account gets locked, I can reset my password, but I cannot login. Once the IP is blocked, there is nothing that can be done. I have to either obtain a new IP or use another internet connection. In my case though, I tested an entire class c block of IPs, all were blocked. Luckily my ISP makes changing IP addresses fairly simple.
Bottom line, when I am home or at another location, signing on to facebook is challenging.
if they are hit with too many failed logins
That part of it doesn’t sound like an error.
How many times do you have to login in and in how short a period do you have to do it in to re-create the error?
Too many failed login’s is just an “OP SEC” measure. Big deal. Companies have been doing this for years.Sometimes I think these OPs in these articles are ten years old.
I don’t think that was his real complaint, considering the way he uses facebook
Yet another facebook fail. When’s the next social trent supposed to start? I think this one’s done.
“Yet another facebook fail.”
Every site should do this, most do. Apparently Facebook users know the least about security.
Nor does Consumerist.
Yeah, but it’s been at least a week since their last Facebook bashing story and they were probably getting desperate.
Whenever Google rolls out “Google Me”, I suppose.
When I was on vacation out of state and using the wireless network in the hotel, I was able to use Facebook just fine. However, my boyfriend could not. When he tried to log in it “detected suspicious activity” and asked him to “confirm his identity” by quizzing him with a bunch of his friends’ pictures. No matter how often he passed, he still couldn’t get in.
That happened to my mom. I don’t think that’s really fair. What’s the likelihood I’m gonna recognize a random sampling of my 400+ friends? Especially if the picture is of their damn dog or something?!
I dunno, seems reasonable to me as an approach to block hacking attempts…
I had an issue with logging in to my FB account via browser about two hours ago. Typed in user/pass and got a blank page while the URL changed to the usual one that you get after typoing user/pass. There seems to be something funky going on or was going on at FB as I very rarely do typos when logging in.
Mobile version on iTouch worked fine though.
I dont see how this is fail, its a bot preventative and MANY online apps block you after making X number of failed attempts. how quickly and often is he logging in? is he logging on and logging off several times a minutes? hour?
yeah, yeah, you can blame /b for that crap. This just prevents the internets from getting access to your account and sharing your username/password with the world…
Must’ve locked his GF’s account up by trying to guess her password and realized he’ll get busted when she gets home and finds out her account is locked down. Because this definitely doesn’t sound like an error, sounds more BAU.
What a dummy.
And if Facebook didn’t have this feature, people would complain that it posed a significant security risk.
So much ado over a free website…
People want their cake and it too, especially when it comes to FaceBook.
A temporary account lock makes sense. Blocking a whole range of IP addresses does not. Having no avenue to unlock your account again is the other problem.
that’s the other side of the coin-particularly it being free-if you don’t like it-don’t use it. i think i really could go the rest of my life without having to look at another version of someone’s home movie and i’m old skool on instant messaging-it’s called a telephone and the only ones who really need to type out their cinstant onversations are usually hearing challenged on the telephone … but not much room for ad revenues there.
Its called intrusion detection. The systems are usually configurable to whatever parameters the owner sets.
Yep. My favorite operating system doesn’t even tell you (the person attempting to log in) that the account is locked. It just keeps displaying “User Authentication Failure”. We had it set for 6 failures = disabled. Of course the operator.log file and the console will have the alarm message that an account has just been marked as an Intruder and/or disabled. And depending on how tight the system manager has set things, even the source of the login attempt will be locked out. Oh what fun it was to tell users they had 2 choices: wait until the intruder status went away (it was a variable amount of time) or go to their supervisor to have some paperwork filled out indicating a password reset was needed.
I dare everyone to delete their Facebook. Or, Try. You can’t delete your account.
Hence their “millions of users.”
Mine is Inactive, the only setting they allow.
There’s a one click kill for facebook.
waiting on dispora
Not true. They are deletable.
Wait…you can get it to block entire IP ranges just by loading it up with bogus logons?
So how long until some botherder DDOSes it?
Every banking site, my mortgage site, my utility bills, my car payment site all have this same blocking feature. The only way to become “unblocked” is to call them or wait the period of time they require. I had this happen when I tried logging in several times to my bank account and suddenly it said I had one more attempt left It was a newer account, and it actually was case sensitive for user names as well as passwords. I knew I had the right password, but only after I called did I find out the case sensitivity part.
Thats all fine, but Facebook doesn’t have anything in place to remove the block. That is the issue here.
If someone posts my account details somewhere, I want my account locked.
I’m signed into facebook on two computers and once and two phones. It requires me to do a captcha on the comptuer for almost anything I do.
i’m so cool because i hate facebook!
This is unbelievable! It’s unheard of! In fact I don’t believe that this is true at all!
Facebook RESPONDED TO SOMEONE?????
So in theory I could lock out all of my “friends” accounts to keep them from playing farmville and throwing sheep at me with this trick…
No, it penalizes you instead of your friend. That’s a good move, imo
That’s not a flaw, it’s a security feature.
just do what i (and millions like me) did… quite using facebook. it is nothing but a time waster. if one wants to be “social” GET OUT OF THE EFFING HOUSE!
What? Why?!?
And yet many today’s smart phones and some regular cell phones can access facebook. There goes your “get out of the house” rant/point.
**shrugs*** Probably.
I know about this one though:
http://consumerist.com/2010/07/personal-info-for-100-million-facebook-users-harvested-into-one-file.html
Why not add on the log on feature that makes you read/typy in a series of letters and numbers everytime?
They’ll also lock your account if you add make too many friend requests in a certain amount of time. They don’t specify what constitutes “too many” or what the amount of time is. I get warnings if I try to add more than 4 new friends with a day. I’ve even heard of people getting blocked when they use Facebook’s own tool to add friends that are in your email address book because it exceeds their unknown “too many/too fast” limit. And what about new accounts? Those people are likely to try to find all of their friends and add them right away which, according to FB, is ban-worthy.
I’ve seen theories that they’re trying to stop users from adding people they don’t actually know just to play games like Farmville with them. They seem to forget that games drive a lot of traffic to FB.
Sounds more like anti-spambot measures though I agree that the number of friend requests before it kicks in is too low.
I even sent a unique message for each friend request, hoping the bot would “see” me as a person since I wasn’t just sending blank friend requests, but I guess it’s not that smart (though I guess a script could also be written to include a random message with each friend request if someone were so inclined to write one).
And it’s not just on the computer. It’s happening to mobile phones too. The husband got blocked out of his Facebook Mobile account when his phone froze and he tried to log in after he’d restarted his phone. He had to e-mail to get his IP address unblocked, but they claimed it was suspicious activity as well.
I sometimes have problems logging in. I use many different ways of logging in though, my phone, xbox, pc, ipod touch, trillian… and a while ago I was checking out and trying different apps to use with the facebook IM, so I’m sure all those logins caused some problems for me.
Seems an aid in having more than one account. facebook may think logging in and out quickly is switching accounts.
I have doubts simply because I don’t believe the claim that he was able to send a detailed email to Facebook, not to mention that he actually got a reply.
I really think a lot of people are missing the point of the article/letter.
It’s not about incorrect logins, primarily. Facebook actually has a good policy on that one, in banning the IP of someone potentially trying to gain access to another person’s account.
It’s about legitimately logging in too many times in a short period – what does that protect?
i don’t facebook, just another reason why … besides having a life instead of posting a webpage about it for imaginary friends – hey, anybody remember those zany sitcoms where the neighbors got trapped into being forced to watch home movies of someone else’s vacation – welcome to facebook!
ps yawn