In a blog post on Monday, Prakash explained that missing security protocols in some versions of Facebook allowed attackers to reset account passwords without the legitimate owner's knowledge.
When a user forgets their account password, they can use the website's password reset feature, "Forgot Password," to recover access by entering their phone number or email address.
A six-digit code is then sent by the social network to verify the owner, and this code must be entered to create a new password.
On Facebook's main website, attempts to brute-force the code are blocked after 10 to 12 attempts. However, on beta pages beta.facebook.com and mbasic.beta.facebook.com, the scenario played out differently. The security researcher says rate limiting -- the anti-brute-force measure on the main website which prevents multiple attempts at finding the six-digit password reset code -- were missing from the other domains.
It was then short work for the researcher to brute-force attack his own account as a testbed and successfully set up a new password, granting himself access to the account and everything stored within.
The vulnerability was sent to Facebook on 22 February. As the critical vulnerability was simple and easily within the skill range of any homegrown cyberattacker, Facebook rapidly tested and acknowledged the flaw, patching the problem and awarding Prakash $15,000 as a reward for responsible disclosure.
The proof of concept is demonstrated in the video below.
In related news, this week Facebook announced plans to roll out a Wordpress plugin which adapts Web content for Instant Articles.