We are publishing this with the permission of Facebook under the responsible disclosure policy. They have fixed this vulnerability.
This post is about a simple vulnerability we discovered on Facebook which we could have used to hack into other users’ Facebook accounts easily and without any user interaction.
This gave us full access to other users account by setting a new password. We were able to view messages, their credit/debit cards stored under their payment section, personal photos, and other private information.
Facebook acknowledged the issue promptly, fixed it, and rewarded me with a US $15,000 bounty based on the severity and impact of this vulnerability.
How the hack worked
Whenever a user Forgets their password on Facebook, they have an option to reset the password by entering their phone number and email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110.
Facebook will then send a 6 digit code to this phone number or email address which the user has to enter in order to set a new password.
We tried to brute force the 6 digit code on www.facebook.com and was blocked after 10–12 invalid attempts.
Then we looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com. Interestingly, rate limiting was missing from forgot password endpoint.
We tried to take over my our personal facebook account (as per Facebook’s policy, you should not do any harm any other users’ accounts) and was successful in setting a new password for my account. We could then use this same password to log into my own hacked account.
A proof of concept video of the hack
As you can see in the video, We were able to set a new password for the user by brute forcing the code which was sent to their email address and phone number.
1POST /recover/as/code/ HTTP/1.1
Brute forcing the “n” successfully allowed us to set new password for any Facebook user.
Feb 22nd, 2016 : Report sent to Facebook team.
Feb 23rd, 2016 : Verified the fix from our end.
March 2nd, 2016 : Bounty of $15,000 awarded by Facebook