What is wrong with this screen (mobile interview question)

Before I start this post I am super excited to share my first YouTube video on Beyond Coding With Amish! 🚀 Inspired by my experiences at Digikala.com Ladder, I’ve launched this channel to delve into essential skills for success. From mastering both soft and technical skills, career growth strategies, fostering effective teamwork, and navigating project management & engineering management tips, we’re in for an enriching journey! 💼🌱 Let’s learn and grow together!

Lately, I’ve had the opportunity to interview candidates for React Native roles, and I’ve been delving into various categories of questions. One crucial area I always touch upon is security. This question isn’t restricted to any specific field; it applies across the board, whether it’s frontend or backend, iOS, Android, Xamarin, or React Native. It’s essential to gauge a candidate’s understanding and approach to security, no matter the platform or technology stack.

Alright, let’s focus on this screen. You’ve got two inputs and a submit button to send your data. Once you’ve filled in the inputs and hit submit, the server responds with a message: “Your password is incorrect.”

What’s the security issue here? Nearly 70% of candidates struggled to identify it initially. Even after guidance, only 10% could pinpoint it correctly. The rest were stumped.

The problem lies in the server’s response, which inadvertently reveals too much information. By stating “Your password is wrong,” it confirms to potential attackers that they’ve entered a valid email but failed with the password. This provides a clear advantage to attackers, as they can now focus solely on guessing the password without worrying about the validity of the email.

To address this vulnerability, the server’s response should be more generic, indicating that either the email or password is incorrect, without specifying which one. This adds an extra layer of security by not giving attackers any confirmation about the validity of the email they entered.

As a front-end or mobile developer, it’s essential to be aware of such security vulnerabilities and collaborate closely with back-end developers or security experts to ensure that these issues are resolved promptly. Ensuring app security is a shared responsibility, and understanding security issues is crucial for maintaining the integrity of your app.