Researcher Sow Ching Shiong has discovered a flaw in Facebook's password reset facility that would allow a logged-in account to have its password changed without an attacker knowing what the original password was.
A common practice to regain access to a hacked account is to send a password reset to the user through an alternate channel of communication, such as via email or over the phone.
Sow wrote on his blog that "in normal circumstances, an authenticated Facebook user is required to enter his/her current password on the change password page to prevent an unauthorised person from changing the password without the user's knowledge."
This provides some protection for users that forget to log out of public terminals since, although the next person might have access to their account for as long as it is logged in, they cannot maintain control since they are unable to make any account changes without knowing the users' password.
According to Sow, however, if an attacker navigated to a specific Facebook page designed for regaining control of hacked accounts, they would be able to perform a password reset without knowing what the original password was.
Sow reported the flaw to Facebook via its White Hats program, and it has now been patched to require the user to enter their original password.