A security researcher discovered a "simple vulnerability" in the social network that allowed him to easily hack into any Facebook account, view message conversations, post anything, view payment card details and do whatever the real account holder can.
Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account"s password.
The vulnerability actually resides in the way Facebook"s beta domains handle "Forgot Password" requests.
Facebook lets users change their account password through Password Reset procedure by confirming their Facebook account with a 6-digit code received via email or text message.
To ensure the genuinity of the user, Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts.
However, Prakash discovered that the social media giant had not implemented rate-limiting in its password reset process on the beta sites, beta.facebook.com and mbasic.beta.facebook.com, according to a blog post published by Prakash.
Prakash tried to brute force the 6-digit code on the Facebook beta pages in the "Forgot Password" window and discovered that there is no limit set by Facebook on the number of attempts for beta pages.
Prakash has also provided a proof-of-concept (POC) video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:
Share on FacebookShare on TwitterShare on LinkedinShare on RedditShare on Hacker NewsShare on EmailShare on WhatsApp