Sunday, 1 May 2016

Twitter doesn’t need a Password to Login! Really?!

Today, morning I installed the Twitter Android App Version 5.91.0 on my device (Moto G3). I found that I was able to Login without setting up a password. I followed the below steps to Login without password.

Steps to reproduce

Steps 1
In the Home screen I tapped on Sign Up button.

Step 2
I entered my name Pranav in the name text field and I tapped on “Next” button.

Step 3
In the verification screen I entered the Phone number (8888888888), then I got a verification code. I entered the verification code. Now, it lets me to the Enter Password screen. I need to enter a password to activate my account.

Step 4
I got a message stating your Phone is activated. I closed the Twitter app and then I launch it again, it asked me to enter the Password. 
I closed the Twitter app again and I launched the app again, but this time I have cleared the Twitter app data (Setting -> Apps -> Twitter -> Storage -> Clear Data.)
I was surprised because I was logged in to my account with the Twitter handle @Pranav96003942. I did not set the password for the account, but I was logged in.

Fig 1: After Login Screen

Step 5
Then I thought to investigate more. So I cleared the Twitter app data and then I followed Steps 1, 2, 3 and 4 with the same mobile number (8888888888) which I registered previously.
I discussed with Santhosh Tuppad about this, then he did not a search in his Twitter account with the Twitter handle @Pranav96003942, the account was not fetched because it takes some time to update in the Twitter Database.

Step 6
Santhosh asked me to follow him on Twitter, immediately I followed @Santhoshst.  Santhosh got a notification, that I follow him. I was also able to Tweet with the account @Pranav96003942.

Step 7
Now, Santhosh asked me to check if I can change the Password. I went to Change Password screen, there I need to enter the Current Password to change to change my password, but I am not aware of the current password. We tried entering the verification code for Current Password, we got a toast message “Your Old Password was entered incorrectly”.
Fig 2: Change Password Screen

Step 8
Then, I tapped on Forgot Password. I entered the number (8888888888) with which I registered to get the passcode. I got an error message stating “We Found More than one account with the Phone Number” I got this because I had registered the same number twice.

Fig 3: Forgot Password screen with Phone Number 

Step 9
I tried to recover the password with username @Pranav96003942, I got a passcode to the registered number. Now, I did a password reset by entering a new password, then I logged out of the account. When I tried to login with the mobile number and password I was not able to Login, I got an error message stating “We Found More than one account with the Phone Number”.
Fig 4: On Login with registered number

Step 10
Finally, I realized that Version 5.91.0 is not the latest one. So, I updated the app to the latest version and then I tested for the above steps. I was logged in without Password.

My Conclusion about this behavior
The first issue, I had never entered my password on Login. So, if I had Logout of the account I can’t login again, if I want to recover my password I need to do a Forgot Password and then reset my password with a new one this is the User experience issue.

Secondly, the user must not be allowed to register with the same number again. Because, it allows to register I am getting an error message stating “We Found More than one account with the Phone Number”.