14 DAY TRIAL // Security researcher Dan Melamed has discovered a vulnerability that could have been exploited by hackers to hijack Facebook accounts.
The attack method discovered and reported by Melamed relies on a vulnerability in Facebook’s “claim email address” component.
When users add an email address to their account that’s already set by another user, Facebook gives them the opportunity to claim the email address. However, because the social media service didn’t check who the request came from, cybercriminals could have hijacked user accounts.
The newly added email address could have been used to reset the victim’s password and gain complete control of their Facebook account.
All the attacker needed to do was to get the victim to visit a website that contained a cleverly crafted script.
Facebook has addressed the vulnerability.
Check out the POC video published by the expert. Additional technical details are available on Melamed’s blog.