This post is about a simple
vulnerability found on Facebook which could have been used to hack into other
user's Facebook account easily without any user interaction. This gave Anand Prakash full access of another users account by setting a new password. He was
able to view messages, his credit/debit cards stored under payment section,
personal photos etc. Facebook acknowledged the issue promptly, fixed it and
rewarded $15,000 USD considering the severity and impact of the vulnerability.
Description:
Whenever a user Forgets his password
on Facebook, he has an option to reset the password by entering his phone
number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110
,Facebook will then send a 6 digit code on his phone number/email address which
user has to enter in order to set a new password. He tried to brute the 6 digit
code on www.facebook.com
and was blocked after 10-12 invalid attempts.
Then He looked out for the same issue
on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate
limiting was missing on forgot password endpoints. He tried to takeover his
account ( as per Facebook's policy you should not do any harm on any other
users account) and was successful in setting new password for my account. He
could then use the same password to login in the account.
Video POC
As you can see in the video he was
able to set a new password of the user by brute forcing the code which was sent
to your email address/phone number.
Vulnerable request:
POST /recover/as/code/ HTTP/1.1 Host:
beta.facebook.com
lsd=AVoywo13&n=XXXXX
Brute forcing the "n"
successfully allowed me to set new password for any Facebook user.
Anand Prakash Hacked Facebook And Earned $15,000 Usd >>>>> Download Now
ReplyDelete>>>>> Download Full
Anand Prakash Hacked Facebook And Earned $15,000 Usd >>>>> Download LINK
>>>>> Download Now
Anand Prakash Hacked Facebook And Earned $15,000 Usd >>>>> Download Full
>>>>> Download LINK xD