by AppSecure

I figured out a way to hack any of Facebook’s 2 billion accounts, and they paid me a $15,000 bounty for it

I am publishing this with the permission of Facebook under the responsible disclosure policy. They have fixed this vulnerability.

This post is about a simple vulnerability I discovered on Facebook which I could have used to hack into other users’ Facebook accounts easily and without any user interaction.

This gave me full access to other users account by setting a new password. I was able to view messages, their credit/debit cards stored under their payment section, personal photos, and other private information.

Facebook acknowledged the issue promptly, fixed it, and rewarded me with a US $15,000 bounty based on the severity and impact of this vulnerability.

How the hack worked

Whenever a user Forgets their password on Facebook, they have an option to reset the password by entering their phone number and email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110.

Facebook will then send a 6 digit code to this phone number or email address which the user has to enter in order to set a new password.

I tried to brute force the 6 digit code on www.facebook.com and was blocked after 10–12 invalid attempts.

Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com. Interestingly, rate limiting was missing from forgot password endpoint.

I tried to take over my own account (as per Facebook’s policy, you should not do any harm any other users’ accounts) and was successful in setting a new password for my account. I could then use this same password to log into my own hacked account.

A proof of concept video of the hack

As you can see in the video, I was able to set a new password for the user by brute forcing the code which was sent to their email address and phone number.

Vulnerable request

POST /recover/as/code/ HTTP/1.1

Host: beta.facebook.com

lsd=AVoywo13&n=XXXXX

Brute forcing the “n” successfully allowed me to set new password for any Facebook user.

Disclosure Timeline

Feb 22nd, 2016 : Report sent to Facebook team.

Feb 23rd, 2016 : Verified the fix from my end.

March 2nd, 2016 : Bounty of $15,000 awarded by Facebook