Short Bytes: By exploiting a flaw in Facebook’s beta sites, a security researcher has shown how to hack any Facebook account in simple steps. The vulnerability dealt with the password reset method that allowed the hacker to brute force any account and gain complete access. Facebook has now fixed this flaw and awarded him $15,000 bug bounty.
How to hack Facebook is one of the most searched hacking-related queries. While hacking Facebook without harming your own account is very difficult, a security researcher from Bangalore, India, did it successfully.
His method deals with exploiting a simple vulnerability that he could’ve used to hack into other people’s Facebook accounts easily and make any type of changes. With his Facebook hack, Anand Prakash was able to view messages, stored information of credit/debit cards, personal pictures and more.
Flaw and method description: How to hack Facebook
This vulnerability deals with the password reset feature in Facebook. Whenever a user forgets the Facebook password, the social networking website allows the user to reset it by entering the email address or phone number. Then, Facebook sends a 6-digit security code to let you change your Facebook password.
To protect an account from brute force attacks, the account holder is allowed to try up to 12 codes before getting blocked on Facebook’s main site www.facebook.com.
Anand looked out for the same issue on Facebook’s beta sites beta.facebook.com and mbasic.beta.facebook.com. He was surprised to see that limiting feature of 12 attempts was not implemented on these websites. Using the Forgot Password feature, he tried to brute force the 6-digit password reset code on Facebook beta sites. As a result, he was able to hack his Facebook account and reset the password.
Video Proof-of-concept: How to hack Facebook
In the video below, Anand shows how he was able to set a new password of Facebook account by brute forcing the security code sent to phone number or email:
Which is the vulnerable request that was exploited to hack Facebook?
On the Facebook’s beta page, Anand was able to brute force “n” in the following request and gain the complete control of the account:
After discovering this flaw, Anand reported it to Facebook Team on February 22. The social media website has now fixed this flaw and awarded him a bug bounty of $15,000.
If you spot some kind of vulnerability in any website or application, feel free to drop an email at email@example.com — we’ll be glad to feature you on fossBytes.