A security researcher has found a clever way to take over any Facebook account by manipulating weaknesses in the social network’s password reset mechanism.
In a moment of boredom, bug bounty hunter Samip Aryal from Nepal discovered that by uninstalling and re-installing the Facebook app with different user-agents he could manipulate Facebook’s password reset flow to brute force the authentication/login code, and take over the account.
This was possible because of several weaknesses:
1 – the code remained valid for a whopping two hours (plenty of time to brute force a 6-digit code)
2 – the same code was sent every time over the 2-hour span
3 – Aryal (the attacker) could attempt as many wrong login codes as necessary, again allowing plenty of options for a brute-force attack
In one instance, the notification returned the code in clear text, making Aryal’s discovery a 0-click account takeover. In another instance, the notification required tapping and the code was rendered on a separate screen.
Using the correct code, Aryal reset the account password and took over the account, which allowed him to set a new password, disable multi-factor authentication, etc.
In the case of a notification requiring user interaction, the attack would be much more difficult to pull off, if not impossible. Moreover, in both instances (clear-text or not) the account’s real owner would see the password reset process unfold, giving rise to suspicion.
Nonetheless, Aryal’s discovery awarded him the top spot on Facebook’s bug bounty hall of fame for 2024. This was also his highest paid bug report so far, but he refrains from disclosing the actual amount.
Facebook told the researcher via email that, “While this did require user interaction, we consider clicking a notification to be a much lower bar than clicking a link sent to you by an attacker, therefore we decided to deduct from the 0-click ATO, rather than basing the bounty off the 1-click ATO.”
The white hat reported the bug at the end of January. Facebook requested a few clarifications before ultimately addressing the issue only a few days later, making for a very prompt response on behalf of the social network.
If you’re an avid Facebook user, make sure to have multi-factor authentication enabled, and be wary of unsolicited password reset prompts – or any prompts involving changes to your account.
If in doubt, start the password reset flow yourself, set an all-new complex password, and avoid using SMS for multi-factor authentication. Instead, use a trusted Authenticator app.
tags
Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.
View all postsNovember 14, 2024
September 06, 2024