Hacking Facebook account is one of the major
queries of the Internet user today. It's hard to find
— how to hack Facebook account , but an Indian
hacker just did it.
A security researcher discovered a 'simple
vulnerability' in the social network that allowed him
to easily hack into any Facebook account, view
message conversations, post anything, view
payment card details and do whatever the real
account holder can.
Facebook bounty hunter Anand Prakash from India
recently discovered a Password Reset
Vulnerability , a simple yet critical vulnerability that
could have given an attacker endless opportunities
to brute force a 6-digit code and reset any
account's password.
Here's How the Flaw Works
The vulnerability actually resides in the way
Facebook's beta domains handle 'Forgot
Password' requests.
Facebook lets users change their account
password through Password Reset procedure by
confirming their Facebook account with a 6-digit
code received via email or text message.
To ensure the genuinity of the user, Facebook
allows the account holder to try up to a dozen
codes before the account confirmation code is
blocked due to the brute force protection that
limits a large number of attempts.
However, Prakash discovered that the social media
giant had not implemented rate-limiting in its
password reset process on the beta sites,
beta.facebook.com and
mbasic.beta.facebook.com , according to a blog
post published by Prakash.
Prakash tried to brute force the 6-digit code on
the Facebook beta pages in the 'Forgot Password'
window and discovered that there is no limit set
by Facebook on the number of attempts for beta
pages.
Here's the culprit:
As Prakash explained, the vulnerable POST request
in the beta pages is:
lsd=AVoywo13&n=XXXXX
Brute forcing the ' n' successfully allowed Prakash
to launch a brute force attack into any Facebook
account by setting a new password, taking
complete control of any account.
Prakash ( @sehacure ) discovered the vulnerability
in February and reported it to Facebook on
February 22. The social network fixed the issue
the next day and had paid him $15,000 as a
reward considering the severity and impact of the
vulnerability.
queries of the Internet user today. It's hard to find
— how to hack Facebook account , but an Indian
hacker just did it.
A security researcher discovered a 'simple
vulnerability' in the social network that allowed him
to easily hack into any Facebook account, view
message conversations, post anything, view
payment card details and do whatever the real
account holder can.
Facebook bounty hunter Anand Prakash from India
recently discovered a Password Reset
Vulnerability , a simple yet critical vulnerability that
could have given an attacker endless opportunities
to brute force a 6-digit code and reset any
account's password.
Here's How the Flaw Works
The vulnerability actually resides in the way
Facebook's beta domains handle 'Forgot
Password' requests.
Facebook lets users change their account
password through Password Reset procedure by
confirming their Facebook account with a 6-digit
code received via email or text message.
To ensure the genuinity of the user, Facebook
allows the account holder to try up to a dozen
codes before the account confirmation code is
blocked due to the brute force protection that
limits a large number of attempts.
However, Prakash discovered that the social media
giant had not implemented rate-limiting in its
password reset process on the beta sites,
beta.facebook.com and
mbasic.beta.facebook.com , according to a blog
post published by Prakash.
Prakash tried to brute force the 6-digit code on
the Facebook beta pages in the 'Forgot Password'
window and discovered that there is no limit set
by Facebook on the number of attempts for beta
pages.
Here's the culprit:
As Prakash explained, the vulnerable POST request
in the beta pages is:
lsd=AVoywo13&n=XXXXX
Brute forcing the ' n' successfully allowed Prakash
to launch a brute force attack into any Facebook
account by setting a new password, taking
complete control of any account.
Prakash ( @sehacure ) discovered the vulnerability
in February and reported it to Facebook on
February 22. The social network fixed the issue
the next day and had paid him $15,000 as a
reward considering the severity and impact of the
vulnerability.
COMMENTS