Password Reset Flaw Makes Hacking Facebook Accounts a Possibility
A security researcher has reported how "simple" it is to change a user's password on Facebook due to a brute-force vulnerability in the social media network's beta site. He claims to have earned $15,000 for discovering a vulnerability that could be exploited to hack Facebook user accounts.
[...] a simple vulnerability found on Facebook which could have been used to hack into other user's Facebook account easily without any user interaction. This gave me full access of another users [sic] account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc [sic]
Password reset flaw helped a researcher to hack Facebook accounts
India-based Anand Prakash has posted in a blog post that he discovered how simple it was to change a user's password on Facebook due to a brute-force vulnerability in the social media giant's beta site, beta.facebook.com. The beta domain receives major code changes and fixes before they are released, allowing developers to perform tests and report any issues. Prakash discovered a password reset vulnerability in the beta site that led him to get access of any Facebook account. Wondering how did it work?
When users forget their password and try to reset it, Facebook sends them a 6-digit code via email or text message. Users can try up to a dozen password reset codes before Facebook's brute force protection policies block the attempts to enter the account. Prakash discovered that these brute force protections weren't implemented on the beta site, allowing him to easily find the correct 6-digit code using a brute force attack.
Both the beta.facebook.com and mbasic.beta.facebook.com sites didn't have any rate-limiting in its password reset process, making brute force attacks an easy possibility. Simply using the Forgot Password window, the researcher was able to correctly guess the code since there was no limit set by Facebook on the number of incorrect attempts at entering the confirmation code.
This simple but critical vulnerability could give malicious actors access to endless opportunities as they could simply reset any account's password and get access to the content, including payment details, associated with the account.
Prakash has demonstrated the brute force attack in a proof-of-concept video. The researcher has used Burp Suite, a popular web app security testing tool to show the ease with which 6-digit codes could be guessed.
According to the researcher, he reported the password reset vulnerability to Facebook on February 22. The company patched it up by the next day and rewarded his work with $15,000 in its bug bounty program.