Anand Prakash – How I could have hacked all Facebook accounts | Facebook Latest Bug March 2016 : Anand Prakash (Individual Security Researcher) Found a Critical Bug In Facebook And Got Rewarded With $15,000.
Anand Prakash – How I could have hacked all Facebook accounts | Facebook Latest Bug March 2016
This post is about a simple vulnerability found on Facebook which could have been used to hack into other user’s Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability.
Anand Prakash facebook Bug Bounty
Facebook password reset vulnerability allowed hackers to brute force into any FB account
So Finally Anand Prakash Revealed His POC (Proof Of Concept) :
“Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110 ,Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.” He Added.“Then i looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate limiting was missing on forgot password endpoints. I tried to takeover my account ( as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account.” He Added.
As you can see in the Below video he was able to set a new password of the user by brute forcing the code which was sent to your email address/phone number. For More details You can watch the Below Mentioned Video (POC).