Can I hack a Facebook account? It is perhaps the most frequently asked question on the Internet. Although the solution is difficult to find, a White hat hacker proved how easy it is to hack not one but many Facebook accounts with some basic computer knowledge.
California's Gurkirat Singh recently discovered a loophole in Facebook's Facebook reset mechanism that could give a hacker full access to Facebook accounts.
The attack is simple, although the way of execution is quite difficult. Let's see what Gurkirat (@GurkiratSpeca) says:
The issue lies in how Facebook allows you to reset your password. The social network χρησιμοποιεί έναν αλγόριθμο που παράγει έναν τυχαίο 6-ψήφιο κωδικό πρόσβασης (αυτό σημαίνει είναι 10⁶ = 1.000.000 δυνατοί συνδυασμοί) ο οποίος δεν αλλάζει μέχρι να γίνει ‘used' (αν τον ζητήσετε από MBasic.facebook.com).
"This could mean that if 1 million people request a password in a short period of time, and no one uses their number to reset the password, then the 1,000,0001 who request a number will get a password "One of the previous ones has already been received," Gurkirat said in a post on his blog.
Gurkirat began collecting the first valid IDs from Facebook by asking Facebook Graph APIs starting with 100.000.000.000.000, since Facebook's IDs are generally 15 digits long. Then he visited www.facebook.com/[ID] with a valid ID in place of [ID].
The URL automatically redirects and changes the Facebook ID with the name of the user. In this way, he was able to make a list of 2 million valid Facebook usernames.
"I first reported this error on May 3, 2016, but Facebook did not believe that such a large-scale attack could be carried out. "They wanted proof," Gurkirat told Hacker News.
“So I spent almost a month developing an infrastructure that targeted 2 million Facebook users. I then resubmitted this error, and they agreed that it was indeed one security gap. "
Then, using a script, hundreds of proxies and random user-agents, Gurkirat began automatically sending password reset requests for these 2 million users.
He randomly chose an 6-number, 338.625, and started the password reset process using a brute forcing script against all the names he had on his list, hoping that this number was assigned by Facebook to someone in the 2.000.000 user names.
So Gurkirat managed to find a correct password reset password and the username a combination that allowed him to reset the password and violate the account of a random user of Facebook.
Although Facebook immediately fixed the bug reported by Gurkirat, the researcher believes that the Facebook patch is not "strong enough to mitigate this vulnerability."