New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Facebook forced me to check account security and change password #282
Comments
Are you talking about two different computers, or the same computer in the same network with different operating systems?
Where did you get that idea from? Also, why would you want to use the old password? |
Same computer, same public IP, different operating systems. I already been using purple-facebook in Linux on the two different computers on the same network with the same public IP for a long time. This was the first time I tried to log in via purple-facebook from a different OS, Windows 7. I want to use the old password because it's easier to change the password on Facebook once than to change passwords on multiple things I use to log in to Facebook. I was wrong about the 100 thing; I remembered that from someone's post, but that is for using an old password on Google. Facebook allows password reuse, but whatever purple-facebook did caused Facebook to see that login attempt as an attempt by someone else to access my account, and blacklist that particular password. |
Hi! I get same result. Pidgin can't login with this plugin and Facebook blocked my account. I had to change my Facebook password. |
If you're in Windows or willing to use Wine, you might want to consider Miranda NG, which has another different Facebook plugin. However, that plugin caused me to get captchas on Facebook, even when posting and sharing totally and obviously innocent things via the normal web interface. They make changes to the plugin and the captchas go away, but then they come back. I was actually just switching from Miranda IM to Pidgin in Windows when this happened, because in the past purple-facebook has worked really well, and never triggered any kind of problematic response from Facebook. Then I got this. I wonder if it's just some issue with the Windows version and/or the currently released libfacebook.dll? Before I used this for a long time in Ubuntu via the repository on two computers and for a bit in Raspbian, without any problems. |
Honestly it sounds like your account has a history of getting flagged for suspicious behavior (from the point of view of facebook, not saying you're actually doing anything suspicious, to be clear), or, at the very least, that the miranda plugin isn't doing better than this one. There are no differences between the linux and the windows versions, they are compiled from the same source and there's no platform-specific code. Have you tried using app passwords? |
just installed the dlls on windows into their folders, tried signing in and my facebook got locked also also tried with setting a new app password and the same result. |
Just to be clear, after verifying the account, does the plugin work normally? Or does it trigger account verification on every login? |
keeps on tripping the verification everytime, tried 8 times or so already "User must verify their account on www.facebook.com (405)" on pidgin and get "Your Account Is Temporarily Locked |
@xillwillx Are you using a VPN or anything like that? |
I have the same problem on two devices (both windows 10). Seems like Facebook changed something on their authorization. Even after I changed my passwords I could not use pidgin, because facebook denies the access. |
@dequis I've tried app password and working fine with pidgin. Thank you! |
That happened to me too. Fresh Ubuntu/pidguin install |
Just had the issue myself, connected from a pidgin i hadn't used in a while in a computer from which i had logged in yesterday, all the same connection, no proxies or VPNs, etc. It only got flagged because of the plugin. First, pidgin threw the error from issue #268
That's after getting an invalid queue error which is normal after not using the account in a while, and the sort of thing that triggers a complete relogin. Logging in to facebook web showed this: After which it asked to change password and optionally enable login alerts. No friend photo verification, no forced ID checks, no mentions of malware (search "facebook checkpoint" in google images for the different kind of errors you can get at that page), so not too bad overall. For me it was enough to change password once and pidgin reconnected just fine without changing the app password that is associated to the pidgin account (in other words, app passwords don't get invalidated after changing the main password). Everything worked fine after that point. There's a couple of differences between this and what @xillwillx described - the pidgin error message, the wording of the checkpoint, the persistence of the error itself. For the other people in this thread who had this issue, is it closer to my description or @xillwillx's? |
Okay, here, a short list of all the information I need:
Please, everyone who posted here so far, reply with a comment including all of these. |
suspicious activity is what i get, im using pidgin and browser on same computer, no proxies/vpns just tried a different win8 machine, worked perfect with no issue |
tried app passwords, but it did not work as well, suspicious activity and forced password change. using no vpn/proxies. tried two different internet connections, same problems. happens on every login attempt, cant use pidgin at all. yes, after password change I can use facebook, but not pidgin. everything worked fine until yesterday/ 2 days ago no other clients used both machines win 10 btw, worked fine before though |
It's working for me now in Windows 7, the exact same install which caused the problem before. Not using an app password. |
My OS: |
Second time had been forced to change the password this week. pidgin says "User must verify their account on www.facebook.com (405)". no proxy, no vpn.suspicious activity, not using app passwords, after password change was able to use for a few days without a problem. was logged in on same machine.no any other plugin. Using the same plugin for a while happen after restarting pidgin Debian sid plugin compiled from source |
Hi, I have been having the similar problem recently. It worked fine before.
Silly question (I am ashamed): I have done a Linux update around the same date. Could have it played a role? Infos here: EDIT: I have two accounts. The pluging now works for one of my two accounts after recompiling from the tar.gz (https://github.com/dequis/purple-facebook/releases):
Plugin version now appears as: 66ee77378d82 For the other account, the situation is as before reinstalling (same error messages from pidgin, same absence of security issue from FB). The plugin used to work for both at the same time before the bug appeared. |
For this kind of error you may try removing the pidgin account and adding it again (to remove the cached tokens), see #268 For everyone else: please try to follow the template with the questions in that order without skipping, otherwise you're just making it harder to read, and sometimes hard to make any conclusions at all. I'm trying to find patterns here, so please help me help you all. You can edit your existing comments from github. For those who haven't replied: even if the issue is already fixed, your replies are still useful. |
I have the same issue now. Errors thrown by pidgin > User must verify their account on www.facebook.com (405) |
|
This worked for me (I had to re-check my account on FB online and then it worked). Thanks. |
Okay, here, a short list of all the information I need:
|
Good idea, I've added a mention of app passwords to basic usage section of the wiki. They can be created from this page: https://www.facebook.com/settings?tab=security§ion=per_app_passwords As far as I know, this is likely to help, but don't have a lot of information about it. If switching to app passwords improves things for anyone, please update your answers to mention so. |
It asks me about the name of the app. Does the name matter or I could whatever for the name? |
I answered that in the wiki page, lol.
|
I just released a new version: https://github.com/dequis/purple-facebook/releases/tag/v0.9.0-c9b74a765767 A fresh windows dll is available in the usual location too: https://dl.voidium.net/pidgin/libfacebook.dll It contains one small relevant change, setting the user agent to a non-empty string. I don't know if that can help but it was wrong to have it as empty, so hopefully it improves things - at least facebook can identify us properly. Please upgrade and ensure you're actually running It might also help to end the previous session from this page: https://facebook.com/settings?tab=security§ion=sessions&view When moving the mouse over the question mark icon it should show the user agent. If it's a single dash and nothing else, that's the old purple-facebook: Click "End Activity" to kick it out. You'll get "Session does not match current stored session" on the next login. In my case that fixed itself with a reconnection, but if it doesn't, see #282 (comment) Once the new version logs in, it should show the session like this: Please report results after a week of testing (or whatever amount of time is needed to reproduce this issue), or at the first account lockdown while using this new version. I'm particularly interested to hear from people who didn't switch to app passwords and had this issue happening to them predictably (or people who had the issue anyway even when using app passwords) |
Please provide amd64 binaries. I don't see this latest version at http://download.opensuse.org/repositories/home:/jgeboski/xUbuntu_16.04/amd64/ . Anyways, I built it from source. I'm now using app passwords, with a separate app password for every install of Pidgin. No problems since doing that. However, I guess sessions using app passwords do not show up in the activity list? I am online, but none of the Messenger sessions are from today, but 10th and 17th November. |
Welp. OBS is fiddly and likes to fail randomly. I'll see what I can do about it.
They do show up. But sessions are cached and only refresh occasionally. That's why you should kill the old session by clicking "end activity" to make the new one appear. |
https://copr.fedorainfracloud.org/coprs/mcepl/spectrum2/ has been updated. Let's see how it goes! |
Damn, I forgot to end session so I went through the whole verification of the account again. Fortunately, the app password holded, so I ddin't have to change that. |
Do not end messenger sessions from https://www.facebook.com/settings?tab=security§ion=sessions&view for testing! Everything was working fine, but I still did not see the user agent, so I ended 3 messenger sessions, for 3 different Pidgin installs. This immediately disconnected Pidgin (only one was running), and when it tried to log in, using its app password, Facebook did that stupid thing again.
Edit: At least the stupid piece of shit called Facebook did not make me change the app passwords. It just presented the list and asked me whether I wanted to delete them. So I won't be needing to update them. Edit2: Regardless of the fact that the app password was still present, I was unable to get an access token and log in. So, I quit Pidgin and deleted everything in .pidgin/accounts.xml which seemed like an ID for the Facebook account. Then I connected. Now I finally see the user agent. |
quit pidgin, deleted dll, downloaded new dll, upgraded pidgin from 2.10.11 to 2.11,opened pidgin, deleted old account info and readded account , and it now works :) |
Been a while with no comments here, I guess that means it worked! |
I am getting the same behaviour when I try to login from Trillian. |
Also, it appears that I cannot use the same app password from two different computers. |
That's exactly use case that app passwords wasn't intended for. |
Since I started using app passwords, I only had that account security check requiring me to reset my password one time. That was after I ended Messenger sessions as a test. Instead, I have been getting occasional questions on the web asking if a particular login was me, at a URL starting with https://www.facebook.com/login_alerts/should_add_browser/?fbid= . These aren't really a problem, as I can just click on the button saying it was me and no further action is required. I also use Android x86 from occasionally, and I use the official Facebook Messenger app there. I have also gotten this question for logins from that app. So, maybe purple-facebook isn't doing anything special which triggers these things. Maybe it's just due to the way I do things, logging in via Messenger from various different operating systems, and sometimes not using one for a while. |
Yeah, everything looks normal now, closing this. If there are any similar (persistent) issues in the future please open a new ticket. |
Unfortunately this doesn't seem to be resolved or facebook changed its checks. I am experiencing this, too, now. I am running purple-facebook inside spectrum2 as an XMPP transport. That means it is permanently connected to the facebook network.
Here is a redacted version of the purple log from the spectrum transport which show a complete cycle of suddenly starting to get the issue as well as reconnection after reactivation: https://gist.github.com/languitar/4f01ab847a30a1c33202c1945492e706 |
Let the transport stay logged in permanently. There is checkbox for that when registering/editing the spectrum transport. Then Facebook will not get many logins since the FB session will not depend on Jabber session. As a bonus, you will get more privacy as nobody knows if you really there. |
Yikes, I see my issue. I thought I was using this maser version but instead I am using an outdated version of the plugin. |
@jkufner I thought I had enabled this option. However, now that I am registered, I can't find it anymore in the registration dialog in Psi. Any way to get this back? |
Phew, glad to hear that. For everyone else please remember to verify you're using the latest version as described in this comment: #282 (comment) |
@languitar please open a new ticket |
Happened again dammit!
Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons. (452)
Sorry, missed the first message, something about detected suspicious activity.
Same IP, and I had connected to Facebook from the web in Windows 10 within the last hour
No
Yes! I thought app passwords prevented this, but apparently they don't.
In the past changing the password was enough, but now I had to delete the token setting for prpl-facebook from accounts.xml. Otherwise I kept getting the same pidgin error, though not being forced to change the password.
I had to go through that 3 step process again, changing the password, checking app passwords, and checking activity. After the first failed login after that I again had to login to Facebook and do the second 2 steps (but didn't have to change my password). I was also asked if that was me, but saying yes to that was not enough to allow a login.
Worked in Linux on my laptop yesterday or even earlier today.
Not in months, because Miranda NG resulted in captchas when sharing stuff. |
ADMIN EDIT: For anyone with this issue, please answer all the questions listed in #282 (comment)
I've used purple-facebook for a while in Linux, and I just installed it in Windows 7, copying the Pidgin profile data from Linux. When I tried to log in Facebook thought my account was hacked and forced me to go through a security check and change my password. Now if I want to use my old password my understanding is I need to change my password 100 times so it forgets the old password. This is really annoying.
I was switching from Miranda NG to Pidgin in Windows mainly because of purple-facebook. Miranda NG caused Facebook captchas and I never had that problem with purple-facebook. Little did I know I was going to run into this shit.
The text was updated successfully, but these errors were encountered: