Does correcting misspelled usernames create a security risk?
As you said, you saw this on facebook - so I tried these steps:
- Login with [email protected] and real password -> works
- Login with [email protected] and real password -> works, too (!)
- Login with [email protected] and real password -> also works
- Login with [email protected] and real password -> also works
- Login with [email protected] and wrong password -> Wrong password, but email got automatically corrected to the right email
- Login with [email protected] in a private tab (or a browser with cleared cache & cookies) -> "The email you’ve entered doesn’t match any account"
As the correction only seems to work when I have already successfully logged into FB at this PC, I would say that this is not a vulnerability in facebook.
Edit: Added new test cases; thanks Zymus, simbabque and Micheal Johnson for the suggestions
Allowing username or email iteration may be a security problem for most sites, but not for Facebook. For sites as large as Facebook, finding emails that have accounts is easy because the sites have so many users. This holds for other huge user databases like Google and Microsoft. These companies just have to be secure in the face of their username/email databases being (sort of) publicly known.
That said, I would be surprised if this was the first time that you were using Facebook with the same browser, computer, or even IP address. It just doesn't make sense for them to complete usernames as any email-looking string is probably close to one or more of their users. I suspect that Facebook had some way of knowing that you were you.