Facebook fixes simple security flaw which let you take over any account

A researcher has earned himself a $15,000 cash reward after disclosing a bug which allowed attackers to break into anyone's Facebook account with ease.
Written by Charlie Osborne, Contributing Writer

Researcher Anand Prakash has been awarded $15,000 through Facebook's bug bounty program after disclosing a password flaw which allowed attackers to access accounts with little effort.

The flaw is a simple vulnerability which gave the researcher access to Facebook accounts "without any user interaction."

The researcher was able to access the full range of information saved in an account, including messages, photos, videos and financial information stored in the social media network's payment section.

In a blog post on Monday, Prakash explained that missing security protocols in some versions of Facebook allowed attackers to reset account passwords without the legitimate owner's knowledge.

When a user forgets their account password, they can use the website's password reset feature, "Forgot Password," to recover access by entering their phone number or email address.

A six-digit code is then sent by the social network to verify the owner, and this code must be entered to create a new password.

On Facebook's main website, attempts to brute-force the code are blocked after 10 to 12 attempts. However, on beta pages beta.facebook.com and mbasic.beta.facebook.com, the scenario played out differently. The security researcher says rate limiting -- the anti-brute-force measure on the main website which prevents multiple attempts at finding the six-digit password reset code -- were missing from the other domains.

It was then short work for the researcher to brute-force attack his own account as a testbed and successfully set up a new password, granting himself access to the account and everything stored within.

The vulnerability was sent to Facebook on 22 February. As the critical vulnerability was simple and easily within the skill range of any homegrown cyberattacker, Facebook rapidly tested and acknowledged the flaw, patching the problem and awarding Prakash $15,000 as a reward for responsible disclosure.

The proof of concept is demonstrated in the video below.

In related news, this week Facebook announced plans to roll out a Wordpress plugin which adapts Web content for Instant Articles.

10 things you didn't know about the Dark Web

Read on: Top picks

Editorial standards