Facebook Reset Vulnerability Allowed The Hackers To Hack Any Facebook Account
Facebook Reset Vulnerability Allowed The Hackers To Hack Any Facebook Account

Facebook is number one social networking platform and hacking Facebook accounts is among the prime target of the hackers. In Fact, on the search engines, “How to Hack Facebook Account” is the among the most searched queries. Security Engineer and Bug Bounty Hunter, Anand Prakash was able to hack Facebook Accounts by a simple Facebook Reset Bug.

This bug was discovered by Indian Security Engineer, Anand Prakash aged 22. He could have also hacked into any Facebook account without communicating with the user. Also, it could have allowed him to view messages and the credit/debit card credentials, photos and more.

Also Read: A New Tool Can Hack Facebook Accounts

Prakash stated on his blog that “Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address, after that Facebook sends 6 Digit Code to the users phone number or email address which helps the user to set a new password for his account. He further said that he tired to brute the 6 Digit Code on Facebook and was blocked after 10-12 consecutive invalid attempts.

After he was blocked from getting 6 digit code, he then headed to Facebook’s Beta pages, beta.facebook.com and mbasic.beta.facebook.com, he discovered that rate limit was missing from forgot password section in these two beta websites. He realized that there was no limitation, so it could have allowed him to brute force into any Facebook Account.

Vulnerable request:

POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com
Brute forcing the “n” successfully allowed me to set new password for any Facebook user.
Video of this vulnerability :

Prakash forwarded this “Reset Bug” to Facebook’s Security Team on 22nd February 2016. Facebook realized the severity this bug and then fixed it. He was also awarded a bug bounty of $15,000.