I can hack one account of Facebook? It is perhaps the most frequently asked question on the Internet. Although the solution is hard to find, a white hat hacker has demonstrated how easy it is to hack not one but many Facebook accounts with some basic computer knowledge.
Gurkirat Singh from California recently discovered a loophole in the rollback mechanism code Facebook access that could give a hacker full access to Facebook accounts.
The attack is simple, although the way of execution is quite difficult. Let's see what Gurkirat (@GurkiratSpeca) says:
The issue lies in how Facebook allows you to reset your password. The social network uses an algorithm that generates a random 6-digit password (that means there are 10⁶ = 1.000.000 possible combinations) which does not change until it is 'used' (if you request it from mbasic.facebook.com).
"This could mean that if 1 million people request a password in a short period of time, and no one uses their number to reset the password, then the 1,000,0001 who request a number will get a password "One of the previous ones has already been received," Gurkirat said in a post on his blog.
Gurkirat began collecting the first valid IDs from Facebook by asking Facebook Graph APIs starting with 100.000.000.000.000, since Facebook's IDs are generally 15 digits long. Then he visited www.facebook.com/[ID] with a valid ID in place of [ID].
The URL is redirected automatically and changes the Facebook ID with the user name. In this way, he was able to make a list of 2 millions of valid Facebook user names.
"I first reported this error on May 3, 2016, but Facebook did not believe that such a large-scale attack could be carried out. "They wanted proof," Gurkirat told Hacker News.
"So I spent almost a month developing an infrastructure that targeted 2 million Facebook users. I then resubmitted this error, and they agreed that it was indeed a security breach. "
Then, using a script, hundreds of proxies and random user-agents, Gurkirat began automatically sending password reset requests for these 2 million users.
He randomly chose an 6-number, 338.625, and started the password reset process using a brute forcing script against all the names he had on his list, hoping that this number was assigned by Facebook to someone in the 2.000.000 user names.
So Gurkirat managed to find a correct password reset password and the username a combination that allowed him to reset the password and violate the account of a random user of Facebook.
Although Facebook immediately fixed the bug reported by Gurkirat, the researcher believes that the Facebook patch is not "strong enough to mitigate this vulnerability."
