Gurkirat Singh
from California recently discovered a loophole in Facebook's password
reset mechanism that could have given hackers complete access to the
victim's Facebook account, allowing them to view message conversations
and payment card details, post anything and do whatever the real account
holder can.
The issue, Gurkirat (@GurkiratSpeca) says, actually resides in the way Facebook allows you to reset your password. The social network uses an algorithm that generates a random 6-digit passcode ‒ that's 10⁶ = 1,000,000 possible combinations ‒ which does not change until gets 'used' (if you request it from mbasic.facebook.com).
"That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned," Gurkirat explains in a blog post.
Gurkirat first collected valid Facebook IDs by making queries to Facebook Graph API starting with 100,000,000,000,000, since Facebook IDs are generally 15-digit long and then visited www.facebook.com/[ID] with a valid ID number in place of [ID].
Once entered, the URL automatically redirected and changed the Facebook ID to the user's username. In this way, first, he was able to make a list of 2 Million valid Facebook usernames.
Then using a script, hundreds of proxies and random user-agents, Gurkirat automatically initiated the password reset requests for those 2 million users, each assigned a 6-digit password reset code, thus consuming the complete 6-digit range.
Gurkirat then randomly picked a 6-digit number, i.e. 338625, and started the password reset process using a brute forcing script against all those usernames in his list, hoping that this number had been assigned by Facebook to someone in his list of 2 million usernames.
Gurkirat practically executed this thing and managed to find a right password reset code and username combination that allowed him to reset the password and hijack a random user's Facebook account.
He went to www.beta.facebook.com/recover/password?u=[ID HERE]&n=338625 and I was brought to this page below. Now you get complete access to that random user’s account
Although Facebook has patched the bug after been reported by Gurkirat and rewarded him $500 (that's little less), Gurkirat has doubt that the patch is not "strong enough to mitigate this vulnerability."
However, Facebook provides you an extra layer of security to protect your account against such attacks.
Enable Login Approvals: Users are recommended to enable "Login Approvals" as an extra layer of security in order to prevent their Facebook accounts against these kinds of attacks.
Enable Login Notification Alerts: Facebook also provides a security feature, "Login Alerts," that send you an email or SMS whenever it suspects an unauthorized user is accessing your account.
Pretty much so low reward, there might be similar attack are in the hands of private sector that pay more...
source: HackerMoon
The issue, Gurkirat (@GurkiratSpeca) says, actually resides in the way Facebook allows you to reset your password. The social network uses an algorithm that generates a random 6-digit passcode ‒ that's 10⁶ = 1,000,000 possible combinations ‒ which does not change until gets 'used' (if you request it from mbasic.facebook.com).
"That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned," Gurkirat explains in a blog post.
Gurkirat first collected valid Facebook IDs by making queries to Facebook Graph API starting with 100,000,000,000,000, since Facebook IDs are generally 15-digit long and then visited www.facebook.com/[ID] with a valid ID number in place of [ID].
Once entered, the URL automatically redirected and changed the Facebook ID to the user's username. In this way, first, he was able to make a list of 2 Million valid Facebook usernames.
Then using a script, hundreds of proxies and random user-agents, Gurkirat automatically initiated the password reset requests for those 2 million users, each assigned a 6-digit password reset code, thus consuming the complete 6-digit range.
Gurkirat then randomly picked a 6-digit number, i.e. 338625, and started the password reset process using a brute forcing script against all those usernames in his list, hoping that this number had been assigned by Facebook to someone in his list of 2 million usernames.
Gurkirat practically executed this thing and managed to find a right password reset code and username combination that allowed him to reset the password and hijack a random user's Facebook account.
He went to www.beta.facebook.com/recover/password?u=[ID HERE]&n=338625 and I was brought to this page below. Now you get complete access to that random user’s account
Although Facebook has patched the bug after been reported by Gurkirat and rewarded him $500 (that's little less), Gurkirat has doubt that the patch is not "strong enough to mitigate this vulnerability."
However, Facebook provides you an extra layer of security to protect your account against such attacks.
Enable Login Approvals: Users are recommended to enable "Login Approvals" as an extra layer of security in order to prevent their Facebook accounts against these kinds of attacks.
Enable Login Notification Alerts: Facebook also provides a security feature, "Login Alerts," that send you an email or SMS whenever it suspects an unauthorized user is accessing your account.
Pretty much so low reward, there might be similar attack are in the hands of private sector that pay more...
source: HackerMoon
0 comments:
Post a Comment