Security researcher Nir Goldshlager has identified a flaw in the Secure File Transfer service used by Facebook employees, which allowed him to reset the password of any account.
Accellion, the provider of the file transfer service, had removed the registration page to prevent unauthorized users from creating accounts. However, Goldshlager discovered that the registration page could still be accessed by someone who knew its location.
After creating an account and downloading the Accellion application, he attempted to reverse engineer the source code files, but since they were properly encrypted, he pursued a different attack vector.
He identified a “referer” parameter in the cookie used by a file called wmPassupdate.html – utilized by the application to recover forgotten passwords.
By changing the values of this parameter, he could set the password of any account to an arbitrary one.
After being notified by the expert, both Facebook and Accellion addressed the security holes. To see the details of the vulnerability, check out the video proof-of-concept published by Goldshlager.