Here is a big issue arises on the internet to hack any Facebook account. That is really hard to find a way to hack someone’s Facebook account by which hacker can see all conversations, post anything as well as any payment card details and hacker have the power to do anything with that account.
But recently here is a ‘simple vulnerability’ found on Facebook that will give us the power to access any Facebook account of any user even it could be done without any user interaction. Which you can hack any Facebook account by setting a new password and can see all messages, personal photos as well as his/her details of under credit/debit cards stored etc.
This vulnerability is found by bug hunter Anand Prakash from India who has discovered a Password Reset Vulnerability in Facebook. Facebook acknowledged this issue and fixed it and also rewarded by $15,000 USD considering the impact of this vulnerability.
HOW IT WORKS :
This is a simple but also critical vulnerability that will give an endless opportunities to reset any account’s password.
As you know that whenever we forget our password of our Facebook account then we have the option to reset the password by entering our phone number or email address on Facebook. And then Facebook send a 6 digit code on our phone number or email address by which we can set our new password.
And for ensuring the genuinely of the user, Facebook gave the chance to the account holder for trying a dozen codes before the account confirmation code is blocked due to the blocking process of brute force that has only limited chance to attempts the code.
The Security researcher describes in his blog post that, the Facebook had not implemented the rate-limiting in its process of password reset on the beta sites such as beta.facebook.com & mbasic.beta.facebook.com.
He tried to brute force the 6-digit code on the beta pages of Facebook. There is a window of ‘Forgot Password’ and found that there is no limitation for attempting that number of codes on that beta pages.
Here’s a proof-of-concept(POC) video demonstration by Anand Prakash which shows that how the attack works.
POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com
Brute forcing the "n" successfully allowed me to set a new password for any Facebook user.
Anand discovered this simple as well as critical vulnerability in February and then he reported it to Facebook on February 22. Then the social network giant immediately fixed this issue and had rewarded him by $15,000 USD for considering the rigorousness and impact of the vulnerability.
HOC team congratulate to Anand for discovered this Vulnerability and get Rewarded by Facebook.