Navigate back to the homepage

We figured out a way to hack any of Facebook’s 2 billion accounts, and they paid us a $15,000 bounty for it

Anand Prakash
February 9th, 2018 · 1 min read

We are publishing this with the permission of Facebook under the responsible disclosure policy. They have fixed this vulnerability.

This post is about a simple vulnerability we discovered on Facebook which we could have used to hack into other users’ Facebook accounts easily and without any user interaction.

This gave us full access to other users account by setting a new password. We were able to view messages, their credit/debit cards stored under their payment section, personal photos, and other private information.

Facebook acknowledged the issue promptly, fixed it, and rewarded me with a US $15,000 bounty based on the severity and impact of this vulnerability.

How the hack worked

Whenever a user Forgets their password on Facebook, they have an option to reset the password by entering their phone number and email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110.

Facebook will then send a 6 digit code to this phone number or email address which the user has to enter in order to set a new password.

We tried to brute force the 6 digit code on www.facebook.com and was blocked after 10–12 invalid attempts.

Then we looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com. Interestingly, rate limiting was missing from forgot password endpoint.

We tried to take over my our personal facebook account (as per Facebook’s policy, you should not do any harm any other users’ accounts) and was successful in setting a new password for my account. We could then use this same password to log into my own hacked account.

A proof of concept video of the hack

As you can see in the video, We were able to set a new password for the user by brute forcing the code which was sent to their email address and phone number.

Vulnerable request

1POST /recover/as/code/ HTTP/1.1
1Host: beta.facebook.com
1lsd=AVoywo13&n=XXXXX

Brute forcing the “n” successfully allowed us to set new password for any Facebook user.

Disclosure Timeline

Feb 22nd, 2016 : Report sent to Facebook team.

Feb 23rd, 2016 : Verified the fix from our end.

March 2nd, 2016 : Bounty of $15,000 awarded by Facebook

More articles from AppSecure

Here’s how we could’ve ridden for free with Uber

This post is about a critical bug on Uber which could have been used by hackers to get unlimited free Uber rides anywhere in the world. This post also explains few best practices while integrating payment gateways.

January 26th, 2018 · 1 min read

How we could have hacked all Twitter accounts

This blog post is about an Insecure direct object reference vulnerability on Twitter. This vulnerability could have been used by attackers to undertake various activities.

January 4th, 2018 · 2 min read
© 2019 AppSecure
Link to $https://twitter.com/appsecureLink to $https://github.com/AppSecureIndiaLink to $https://www.linkedin.com/company/appsecure-india/