mobeigi/facebook_login_quirk.txt

## facebook_login_quirk.txt
It looks like Facebook automatically tries to fix email corrections upon logging in.

If you login with the wrong email but correct password, it will do a bruteforce/close match attempt with similar emails.
If successfully, you login to that account, even if the email you put in belongs to another user.
Seems to work for even really wack emails that are 4 characters different!
If both accounts have the same password, it logs in the email that matches.

Tested on custom domain, might be a lot less usable on public @gmail.com domain etc.

https://security.stackexchange.com/questions/214814/why-can-i-log-in-to-my-facebook-account-with-a-misspelled-email-password
	It looks like Facebook automatically tries to fix email corrections upon logging in.

	If you login with the wrong email but correct password, it will do a bruteforce/close match attempt with similar emails.
	If successfully, you login to that account, even if the email you put in belongs to another user.
	Seems to work for even really wack emails that are 4 characters different!
	If both accounts have the same password, it logs in the email that matches.

	Tested on custom domain, might be a lot less usable on public @gmail.com domain etc.

	https://security.stackexchange.com/questions/214814/why-can-i-log-in-to-my-facebook-account-with-a-misspelled-email-password