Facebook paid 15.000 dollars an independent security researcher who discovered a simple way to reset passwords to others, setting a new password that only he knew. In this way he could lock any account he wanted.
The person who discovered the security gap and helped Facebook fix it before being abused is Anand Prakash, a security researcher from India.
As he describes in his blog, the issue is actually a trivial attack brute-force on the password recovery form, and not on Facebook's main website, which is protected from this type of automated attack.
The password recovery form can be used whenever a user forgets his Facebook password. You must complete a form with your email address or phone number associated with your Facebook account.
Once these two entries have been entered, the user will receive a six-digit SMS code that will enter the password reset form to allow him / her to access a page where he / she can change the password of his / her account.
If someone ever attempts to guess this six-digit code from Facebok's facebook facebook.com, 10 or 12 invalid attempts will be blocked.
Mr. Prakash discovered that this brute-force protection limit was not active in beta platform of Facebook, accessible from beta.facebook.com.
It is the platform that Facebook uses to test the new features before making it available to the general public through the main platform.
So, using a simple brute-force tool, Mr. Prakash was able to discover the six-digit code he needed to access each account.
Through a simple script, the researcher tested all the possible combinations until he guessed the correct six-digit code. Everything else was easy.
The researcher discovered the issue on February 22, he told Facebok, and the company repaired the next day.
Below is the video PoC published by researcher.
