Header Ads

Facebook paid $15,000 bounty for recently discovered Password Reset Vulnerability

A security researcher discovered a 'simple vulnerability' in the social network that allowed him to easily hack into any Facebook account, view message conversations, post anything, view payment card details and do whatever the real account holder can.

Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account's password.

How the Flaw Works

The vulnerability actually resides in the way Facebook's beta domains handle 'Forgot Password' requests.

Facebook lets users change their account password through Password Reset procedure by confirming their Facebook account with a 6-digit code received via email or text message.

Prakash discovered that the social media giant had not implemented rate-limiting in its password reset process on the beta sites, beta.facebook.com and mbasic.beta.facebook.com, according to a blog post published by Prakash.

Prakash tried to brute force the 6-digit code on the Facebook beta pages in the 'Forgot Password' window and discovered that there is no limit set by Facebook on the number of attempts for beta pages.

-To ensure the genuinity of the user, Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts.

As Prakash explained, the vulnerable POST request in the beta pages is:


Brute forcing the 'n' successfully allowed Prakash to launch a brute force attack into any Facebook account by setting a new password, taking complete control of any account.

0.5 seconds per HTTP request you still require 5.7 days(max) to brute force 6 digits for a single account and assume the code did not expires (+ no complaint when people look at their phone/email). 

Video Demonstration

Prakash has also provided a proof-of-concept (POC) video demonstration (The Software he use is Burp Suite ) that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:

Prakash  discovered the vulnerability in February and reported it to Facebook on February 22. The social network fixed the issue the next day and had paid him $15,000 as a reward considering the severity and impact of the vulnerability.

No comments

blogmytuts. Powered by Blogger.