Facebook patches bug that let anyone hack any account

Facebook’s poorly secured beta site could be easily exploited in brute force attack.

David bisson
David Bisson
@

Facebook patches bug that let anyone hack any account

Facebook has patched a security hole that could have allowed an attacker to hack into any other user’s account.

Anand Prakash, a product security engineer at Indian ecommerce company Flipkart, explains in a blog post that Facebook enables a user to reset their password by entering in their email address or phone number at this URL: https://www.facebook.com/login/identify?ctx=recover&lwv=110.

FacebookOnce the user enters in their personal information, Facebook sends a 6-digit code to their phone number or email address. This code allows them to sign into their account and reset their password.

Sign up to our free newsletter.
Security news, advice, and tips.

Prakash was curious as to whether he could brute force this 6-digit code on www.facebook.com, but he was (quite rightly) blocked after 10-12 invalid attempts.

That’s when the security engineer had an idea.

“Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com, and interestingly rate limiting was missing on forgot password endpoints. I tried to takeover my account (as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account.”

Prakash demonstrates the technique in a YouTube video:

Facebook bug bounty account takeover (fixed) $15000 USD

At the heart of Prakash’s exploit is a simple three-line vulnerable request sent out using Burp Suite:

POST /recover/as/code/ HTTP/1.1
Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX

Armed with the knowledge of a Facebook user’s phone number, email address, or user name, pieces of information which to varying extents are all publicly available, the engineer used his brute force technique against Facebook’s beta site – which is designed for software developers but accessible by everyone.

Cycling through all the possible six digit codes, he found that the beta site did not limit his attempts – and he could have gained access to any other user’s messages, attached payment card information, and personal photos.

Prakash reported the vulnerability to Facebook on February 22nd. A day later, he confirmed that Facebook had patched the issue. He has since received US $15,000 for reporting the bug responsibly.

Facebook bug bounty

The simplicity of this hack has caused some to expressed concern about Facebook’s beta site, as University of Surrey cybersecurity expert Professor Alan Woodward explained to The Telegraph:

“It was surprisingly simple, you’d have thought someone would have picked up on it now. You would think sites would allow you to have five attempts and then lock you out, it’s pretty standard practice.”

As a result, it’s to be hoped that Facebook will spend the next few weeks combing through its beta site for other simple yet severe bugs.

One thing needs to be pointed out. Although it is not covered in the engineer’s post, an account set up with two-factor authentication (2FA) could potentially have foiled the exploit. If the beta site did recognize this feature at the time of the attack, a second layer of authentication could have forced the attacker to repeat the exploit, only this time, they would have needed to crack the security code before it expired in 30 seconds.

Two-factor authentication is crucial when attackers can use simple exploits like Prakash’s code to reset your passwords. With that in mind, if any of your online accounts allow for 2FA, I suggest you set it up if you have not already done so.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Facebook patches bug that let anyone hack any account”

  1. Daniel Zaaiman

    I never received 15000 dollars that’s a lie

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.