Facebook Fixes Flaw That Allowed Hackers to Change Password Without Knowing the Old One

Sow Ching Shiong is the researcher that has identified the issue

By Eduard Kovacs on January 8th, 2013 09:53 GMT

Facebook has addressed a serious vulnerability after being notified by independent security researcher Sow Ching Shiong. The security hole allowed hackers to change the passwords of accounts they had compromised without knowing the old passwords.

Whenever users change the password that protects their Facebook account, they’re required to enter the current password before they can set the new one.

However, the expert found that cybercriminals could change a user’s password without knowing the old one by accessing the “https://www.facebook.com/hacked” URL, which automatically redirected to the compromised account recovery page.

By using this method, an attacker was simply prompted to enter the new password and confirm it, without having to know any other information.

Facebook has addressed this issue and now users are prompted to enter their old passwords before setting a new one.

Sow Ching Shiong has been added to Facebook's list of white hats. 

Check out the screenshots from the gallery to see how the attack worked.
Facebook password reset vulnerability - step 1
3 photos
   Facebook password reset vulnerability - step 1

Facebook password reset vulnerability (3 Images)

Gallery Image
01
Gallery Image
02
Gallery Image
03
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

Comments