Facebook fixes simple security flaw which let you take over any account
Researcher Anand Prakash has been awarded $15,000 through Facebook's bug bounty program after disclosing a password flaw which allowed attackers to access accounts with little effort.
The flaw is a simple vulnerability which gave the researcher access to Facebook accounts "without any user interaction."
The researcher was able to access the full range of information saved in an account, including messages, photos, videos and financial information stored in the social media network's payment section.
Security
In a blog post on Monday, Prakash explained that missing security protocols in some versions of Facebook allowed attackers to reset account passwords without the legitimate owner's knowledge.
When a user forgets their account password, they can use the website's password reset feature, "Forgot Password," to recover access by entering their phone number or email address.
A six-digit code is then sent by the social network to verify the owner, and this code must be entered to create a new password.
On Facebook's main website, attempts to brute-force the code are blocked after 10 to 12 attempts. However, on beta pages beta.facebook.com and mbasic.beta.facebook.com, the scenario played out differently. The security researcher says rate limiting -- the anti-brute-force measure on the main website which prevents multiple attempts at finding the six-digit password reset code -- were missing from the other domains.
It was then short work for the researcher to brute-force attack his own account as a testbed and successfully set up a new password, granting himself access to the account and everything stored within.
The vulnerability was sent to Facebook on 22 February. As the critical vulnerability was simple and easily within the skill range of any homegrown cyberattacker, Facebook rapidly tested and acknowledged the flaw, patching the problem and awarding Prakash $15,000 as a reward for responsible disclosure.
The proof of concept is demonstrated in the video below.
In related news, this week Facebook announced plans to roll out a Wordpress plugin which adapts Web content for Instant Articles.
10 things you didn't know about the Dark Web
Read on: Top picks
- How to increase your Bitcoin mining profit by 30 percent with less effort
- SMS Android malware roots and hijacks your device - unless you are Russian
- Bug bounties: Which companies offer researchers cash?
- Shodan: The IoT search engine privacy messenger
- What happens when you leak stolen bank data to the Dark Web?