Vulnerability to Facebook password reset, found to be full access to other people's account

ByDavid Clow

On Facebook, for those who forget their login password, we have set up a mechanism to reset the password by sending a 6 digit code to the registered email address, but this part is vulnerable, It was revealed that the password was reset and the account was fully accessible. The vulnerability has already been fixed, but we have released a movie that shows what kind of vulnerability the pointed out person was.

Anand Prakash: [Responsible disclosure] How I could have hacked all Facebook accounts
http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html


Anand Prakash living in Bangalore, India, found the vulnerability. On February 22nd we reported a vulnerability to Facebook, and on February 23th we made corrections. With this vulnerability discovery, Mr. Prakash received a reward of $ 15,000 (about 1.7 million yen).

That mechanism was like this.

Facebook Account takeover - YouTube


Prakash used what is often used in vulnerability diagnosis "Burp Suite"Professional Edition.


By configuring Burp as an HTTP proxy, you can edit the request content as you like and then send it to the server.


Facebook password reset screen. Since a 6 digit number has been sent to the set e-mail address, you can reset the password by entering it, but this time I will try to break through the state where I do not know the six digits. Although it is used "beta.facebook.com", it operates like normal Facebook.


For example, enter "154000".


You can see that 6 digits are being sent, "n = 154000" towards the server.


This six digits ...


Pour numbers from "154000" in increments of 1Brute force attackIt is done.


Brute force started. "200" in the Status column indicates that the request transmission was successful. However, the numbers themselves are wrong, so you can not log in.


After the trial of two minutes or more, the status becomes "302" at "154898". This will take you to the login page.


It is such a display as it is displayed on the browser. Since I got a new password entry screen, when I input a password ... ....


Successful password change. After that, if you forget the device you are logging in with the old password with "Log out of other devices" ......


Only you can log in to this account.


Prakash confirmed this vulnerability with your account according to Facebook's "Do not harm others' account". Since this vulnerability has already been addressed, we are not afraid that we will be logged in to your account without permission from the same type of attack, but it is horrible to have been able to log in with such a method ....