Critical Facebook vulnerability could have made it easy to hack accounts [VIDEO]

Facebook brick wallA critical vulnerability was recently found in Facebook that could allow an attacker to hijack, and take control over, accounts on the social network.

No, not the one that required the attacker to just send a single SMS text message. This is a *different* vulnerability that can lead to a complete Facebook account takeover.

This latest security hole was discovered by vulnerability researcher Dan Melamed.

Melamed discovered that a security weakness existed in Facebook’s handling of accounts which have multiple email addresses associated with them.

Sign up to our free newsletter.
Security news, advice, and tips.

In short, Melamed found a way of tricking Facebook into accepting an additional email address for logging into an account, without the owner of the account receiving any warning. All the victim has to do is click on a link sent to them by the attacker.

A successful attack could lead to a malicious hacker reading private messages, posting updates and private messages in the victim’s name, and taking complete control of the account.

To exploit the vulnerability, here is what was needed:

1) A Facebook account (lets call her Sharon Alisonwitz) set up by the attacker. Sharon’s account already has an email address (lets say it is [email protected]) associated with it.
2) A second Facebook account (lets call her Karen Thurnson) set up by the attacker, who will try to claim ownership of the email address.
3) A victim on Facebook (lets call her Maria Smithstein).

Here’s how it works.

The Karen account, set up by the hacker, tries to associate the email address [email protected] (currently associated with Sharon’s Facebook account) with their own account. When Karen tries to add the email, she is given the option to claim it.

Claim email address

As part of the claim process, Melamed found users are taken to a link that appears like this:

https://www.facebook.com/support/openid/proxy_hotmail.php?​appdata[fbid]=AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs

The appdata[fbid] parameter in the link is an encrypted email address. In this case, [email protected].

The link then redirects user to the sign-in page for Hotmail.

Hotmail login

You must sign in with the email address that matches the encrypted parameter.

Finally, you are taken to a link that looks like this:

https://www.facebook.com/support/openid/accept_hotmail.php?​appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-​CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D​&code=a6893043-​cf19-942b-c686-1aadb8b21026

Looking at the webpage’s source code, Melamed determined that this was where the claim process was deemed to have succeeded, and yet there was no check made that the person arriving at the page was the same person who had made the initial request to add an email address.

Success code

In our example, if Maria could be duped into visiting the URL then the attacker would now be able to access Maria’s account using the [email protected] login details.

One way to do this would be to create a malicious webpage which has invisibly embedded the final link inside an iFrame.

Because the victim receives no notification whatsoever that an email address has been added to their account, they would be oblivious to the attack, and be unaware that visiting a webpage has compromised their Facebook account.

The only necessity is for the victim (Maria in the example given above) to be logged into Facebook at the time that their computer visits the link.

Dan Melamed says that the link does not expire for approximately three hours, giving plenty of time for abuse. He has made a video demonstrating how the attack works. I recommend watching the video fullscreen in HD to get the most out of it, and note that there is no soundtrack.

Facebook exploit proof of concept - June 2013

Good news

The good news is that Dan Melamed acted responsibly, and disclosed details of the security hole to Facebook, rather than publish information about the vulnerability on the net where it could have been exploited by cybercriminals. Facebook’s security team appears to have responded rapidly, and fixed the flaw.

Melamed was awarded $1500 by Facebook’s bug bounty initiative for responsibly disclosing the vulnerability to the social network.

If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

2 comments on “Critical Facebook vulnerability could have made it easy to hack accounts [VIDEO]”

  1. Carson

    Considering the weakness, $1500 does not seem to be a hell of a lot.

  2. Elsie

    This is what happened to my account on 07/05/17 and I have not been able to get back into my account. The Hacker took over my account changed my profile picture to his pic, my email address and phone number. I opened a new account but FB disabled it. I am wondering if suspending my phone service to see if that would help.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.