Attacker could have hijacked any account he wanted

Mar 7, 2016 17:05 GMT  ·  By

Facebook has paid $15,000 (€13,600) to an independent security researcher who discovered a simple method of resetting passwords for other accounts, setting a new passphrase and effectively taking over profiles.

The developer who discovered this issue and helped Facebook fix it before being abused by a nefarious actor is Anand Prakash, a security researcher based in Karnataka, Bangalore in India.

As he describes on his blog, the issue is actually a trivial brute-force attack on the password recovery form, and not on the main Facebook site, which is protected against such types of automated attacks.

Facebook reset password form was vulnerable to brute-force attacks

Whenever a user forgets their Facebook password, they have to fill in a form with their email address or phone number, associated with their Facebook account.

After entering one of these two details, the user will be sent a six-digit code via SMS, which they have to enter in the password reset form to be allowed access to a page where they can change their account's password.

If someone ever tried to guess this six-digit code on Facebook's main site (facebook.com), they would be blocked from accessing this page after 10 to 12 invalid attempts.

Vulnerability was on the Facebook Beta portal

Mr. Prakash discovered that this brute-force protection limit is not active on Facebook's beta platform, accessible on beta.facebook.com (and mbasic.beta.facebook.com). This platform is where most of Facebook's features get tested before being released on the main platform, and Facebook offers it to its users who want access to the company's most cutting-edge functions.

Using a simple brute-forcing tool, Mr. Prakash was able to force his way through the password reset screen where the six-digit code needed to be entered.

Via a simple script, the researcher tried all the possible combinations until he guessed the correct six-digit code. Because Facebook's Beta portal was not set to block users who failed to enter the proper code after 10-12 tries, the researcher was eventually able to reset his own account's password and would have been able to do the same for any other user. The only condition would have been for the attacker to know the telephone number or email address associated with the target's account.

The researcher discovered the issue on February 22, told Facebook, and the company patched it by the next day. Below is a proof-of-concept video recorded by the researcher.

This bug also raises another issue regarding the state of Facebook's security, or more precisely the security of its Beta platform. The questions are: "How many security issues still exist on the Beta platform that have been patched on the main platform?" and "Why haven't the two platforms received the same security protections and bug fixes?"