Categories: Security

Facebook Fixes Account Takeover Bug

Facebook has fixed a security flaw that allowed an attacker to take over any user’s account by abusing the social network’s password-reset mechanism.

The bug, discovered by Bangaluru-based researcher Anand Prakash, was found in Facebook sites used for beta-testing new features, and could have allowed straightforward access to any account.

Account takeover

“I was able to view messages, credit/debit cards stored under payment section, personal photos etc,” Prakash wrote in an advisory, adding that Facebook acknowledged and fixed the issue promptly, as well as paying out a $15,000 (£10,500) bounty.

Facebook allows anyone to reset the password for any account by entering the user’s telephone number or email address into a password recovery system. The site then sends a six-digit code to the user’s mobile phone that can be used to gain access to the account and set a new password.

Prakash found that two Facebook sites used for testing new features didn’t limit the number of times a user could enter an incorrect code. That meant a malicious user could write a simple script that kept guessing the code until it hit on the right one.

Bug bounty

“I tried to takeover my account… and was successful,” he wrote. “I could then use the same password to login in the account.”

Facebook’s main website limited the number of incorrect guesses, Prakash noted.

He notified Facebook of the flaw on 22 February, and a fix was in place the next day. He said he received a bounty earlier this month.

Facebook’s bug bounty programme paid out about $936,000 last year, less than the $1.3m paid in 2014, but the social network said the bugs it was informed of were more serious than previously.

In February of last year a researcher from Tamil Nadu was awarded $12,500 for discovering a flaw that allowed users to delete photo albums belonging to other users.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • It is hard to believe Developers at FB missed out such a simple thing. I feel this was a backdoor as then an account be accessed. Thanks to Prakash, this backdoor stands exposed. Though I would not be surprised if there are other backdoors. Also storing email address /phone number in a format that can be retrieved by FB is the biggest backdoor by itself as anytime FB wants to access your account, all they need to do is replace your original email address/phone with something else they have access to.

    To do away with this backdoor, FB should stop using email/phone numbers to retrieve passwords and instead use other alternatives where the password is not sent or generated using a personal identity but by a combination of identities that only the user knows but which is never stored on FB servers.

    If FB is listening, I can help.

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

4 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

5 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

6 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

8 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

10 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

11 hours ago