Sow Ching Shiong is the researcher that has identified the issue

Jan 8, 2013 09:53 GMT  ·  By

Facebook has addressed a serious vulnerability after being notified by independent security researcher Sow Ching Shiong. The security hole allowed hackers to change the passwords of accounts they had compromised without knowing the old passwords.

Whenever users change the password that protects their Facebook account, they’re required to enter the current password before they can set the new one.

However, the expert found that cybercriminals could change a user’s password without knowing the old one by accessing the “https://www.facebook.com/hacked” URL, which automatically redirected to the compromised account recovery page.

By using this method, an attacker was simply prompted to enter the new password and confirm it, without having to know any other information.

Facebook has addressed this issue and now users are prompted to enter their old passwords before setting a new one.

Sow Ching Shiong has been added to Facebook's list of white hats. 

Check out the screenshots from the gallery to see how the attack worked.

Facebook password reset vulnerability (3 Images)

Facebook password reset vulnerability - step 1
Facebook password reset vulnerability - step 2Facebook password reset vulnerability - step 3
Open gallery