Can I hack a Facebook account? It is perhaps the most frequently asked question on Dianetwork. Although the solution is hard to find, a white hat hacker has demonstrated how easy it is to hack not one but many Facebook accounts with some basic computer knowledge.
Gurkirat Singh from California recently discovered a loophole in the rollback mechanism code Facebook access that could give a hacker full access to Facebook accounts.
The attack is simple, although the way of execution is quite difficult. Let's see what Gurkirat (@GurkiratSpeca) says:
The issue lies in how Facebook allows you to reset your password. The social network uses an algorithm that generates a random 6-digit password (that means there are 10⁶ = 1.000.000 possible combinations) which does not change until it is 'used' (if you request it from mbasic.facebook.com).
"This could mean that if 1 million people request a password in a short period of time, and no one uses their number to reset the password, then the 1,000,0001 who request a number will get a password "One of the previous ones has already been received," Gurkirat said in a post on his blog.
Gurkirat started collecting the first valid IDs from Facebook by querying the Facebook Graph API starting with 100.000.000.000.000, since Facebook IDs are generally 15 digits long. He then visited www.facebook.com/[ID] with a valid number identity in place of [ID].
Η address URL automatically redirects and changes the Facebook ID with the user's name. In this way, he was able to make a list of 2 million valid Facebook usernames.
“I first reported this bug on May 3, 2016, but Facebook did not believe that executing an attack on such a large scale could be possible. They wanted evidence,” Gurkirat reported to Hacker News.
"So I spent almost a month developing an infrastructure that targeted 2 million Facebook users. I then resubmitted this error, and they agreed that it was indeed a security breach. "
Then, using a script, hundreds of proxies and random user-agents, Gurkirat began automatically sending password reset requests for these 2 million users.
He randomly chose an 6-number, 338.625, and started the password reset process using a brute forcing script against all the names he had on his list, hoping that this number was assigned by Facebook to someone in the 2.000.000 user names.
So Gurkirat managed to find a correct password reset password and the username a combination that allowed him to reset the password and violate the account of a random user of Facebook.
Although Facebook immediately fixed the bug reported by Gurkirat, the researcher believes that the Facebook patch is not "strong enough to mitigate this vulnerability."