Facebook patches password reset flaw

Summary:Facebook has acted on advice from a security researcher to change how it resets passwords for accounts that are believed to be hacked.

Researcher Sow Ching Shiong has discovered a flaw in Facebook's password reset facility that would allow a logged-in account to have its password changed without an attacker knowing what the original password was.

A common practice to regain access to a hacked account is to send a password reset to the user through an alternate channel of communication, such as via email or over the phone.

Sow wrote on his blog that "in normal circumstances, an authenticated Facebook user is required to enter his/her current password on the change password page to prevent an unauthorised person from changing the password without the user's knowledge."

This provides some protection for users that forget to log out of public terminals since, although the next person might have access to their account for as long as it is logged in, they cannot maintain control since they are unable to make any account changes without knowing the users' password.

According to Sow, however, if an attacker navigated to a specific Facebook page designed for regaining control of hacked accounts, they would be able to perform a password reset without knowing what the original password was.

Sow reported the flaw to Facebook via its White Hats program, and it has now been patched to require the user to enter their original password.

Topics: Security, Networking, Social Enterprise


A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.