This bug was discovered by Indian Security Engineer, Anand Prakash aged 22. He could have also hacked into any Facebook account without communicating with the user. Also, it could have allowed him to view messages and the credit/debit card credentials, photos and more.
Prakash stated on his blog that “Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address, after that Facebook sends 6 Digit Code to the users phone number or email address which helps the user to set a new password for his account. He further said that he tired to brute the 6 Digit Code on Facebook and was blocked after 10-12 consecutive invalid attempts.
After he was blocked from getting 6 digit code, he then headed to Facebook’s Beta pages, beta.facebook.com and mbasic.beta.facebook.com, he discovered that rate limit was missing from forgot password section in these two beta websites. He realized that there was no limitation, so it could have allowed him to brute force into any Facebook Account.
Vulnerable request:
POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX
Brute forcing the “n” successfully allowed me to set new password for any Facebook user.
Prakash forwarded this “Reset Bug” to Facebook’s Security Team on 22nd February 2016. Facebook realized the severity this bug and then fixed it. He was also awarded a bug bounty of $15,000.
Post A Comment:
0 comments:
Post a Comment