Pierluigi Paganini March 07, 2016

A security researcher has discovered a Facebook password reset vulnerability that allowed him to brute force into any FB account.

The security researcher Anand Prakash has discovered a password reset vulnerability affecting Facebook. The critical vulnerability could be exploited by attackers to hack into any FB account launching a brute force attack.

“This post is about a simple vulnerability found on Facebook which could have been used to hack into other user’s Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability.” wrote the researcher in a blog post.

The critical flaw resides in the way Facebook’s beta pages handle “Forgot Password” requests. When a user forgets the password, Facebook allows him to get back into your FB account through the ‘Forgot Password’ procedure. Facebook sends a 6 digit code on a user’s phone number or email address. After you enter this code in the window, you are able to access your FB account and reset your password.

The user then submits the code to access his FB account and reset the password.

Prakash tried to find security holes in the Facebook’s Forgot Password procedure. He tried to brute force the 6 digit code in the ‘Forgot Password’ window, he discovered that it is possible to make just 12 attempts before being locked out.

Prakash tried to perform the same operation on the Facebook beta pages,  beta.facebook.com and mbasic.beta.facebook.com. He then discovered that there is no limit on the number of attempts for these two Facebook beta pages. The absence of a limitation, allowed the researcher to launch a brute force attack into any Facebook account.

The vulnerable request illustrated by the researcher is:

POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com

lsd=AVoywo13&n=XXXXX

Prakash reported the vulnerability to Facebook on February 22, 2016, the security team acknowledged the flaw and deployed a fix on February 23.

Facebook awarded Prakash a bug bounty of $15,000, below the Video PoC published by the expert:

Pierluigi Paganini

(Security Affairs – FB account, brute force)