News

Facebook fixes bug in beta site that allowed accounts to be hijacked

By admin
Spread the love

Due to a bug in Facebook’s beta site, it was possible to enter a password reset code an unlimited number of times. With simply the phone number or email address of a member of the social network, the six-digit code could be retrieved via bruteforce.

If you forget your password on Facebook, you can reset it by entering your phone number or email address. Facebook then sends a six-digit reset code for authentication. After 10 to 12 incorrect entries, that code expires, to prevent a malicious person from bruteforce trying all possible codes and changing the password without authorization.

However, at beta.facebook.com and mbasic.beta.facebook.com, there appeared to be no limit to the number of times that code entered, Anand Prakash, an Indian ‘bug bounty hunter’ discovered. Using the Burp Repeater tool, he managed to find the correct reset code to change the password of his own account after numerous attempts. According to him, this could have been done with any account.

Facebook acknowledged the error, corrected it and awarded Prakash $15,000 for his discovery.

You might also like
News

Google is serious about ending passwords: ‘passkeys’ are becoming the…

News

Sony and Microsoft sign agreement to keep Call of Duty on PlayStation

News

Elon Musk: Twitter loses half of ad revenue

News

GitHub enables passwordless login via passkeys in beta

News

Proton releases Windows app for encrypted cloud storage service Proton Drive

News

European Commission agrees to VMware acquisition by Broadcom