White Hat Hacker Discovered A Loophole He Could Have Hacked Multiple Facebook Accounts
Gurkirat Singh from California recently discovered a loophole in Facebook's password reset mechanism that could have given hackers complete access to the victim's Facebook account, allowing them to view message conversations and payment card details, post anything and do whatever the real account holder can.
The issue, Gurkirat (@GurkiratSpeca) says, actually resides in the way Facebook allows you to reset your password. The social network uses an algorithm that generates a random 6-digit passcode ‒ that's 10⁶ = 1,000,000 possible combinations ‒ which does not change until gets 'used' (if you request it from mbasic.facebook.com).
"That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned," Gurkirat explains in a blog post.
Gurkirat first collected valid Facebook IDs by making queries to Facebook Graph API starting with 100,000,000,000,000, since Facebook IDs are generally 15-digit long and then visited www.facebook.com/[ID] with a valid ID number in place of [ID].
Once entered, the URL automatically redirected and changed the Facebook ID to the user's username. In this way, first, he was able to make a list of 2 Million valid Facebook usernames.
Then using a script, hundreds of proxies and random user-agents, Gurkirat automatically initiated the password reset requests for those 2 million users, each assigned a 6-digit password reset code, thus consuming the complete 6-digit range.
Gurkirat then randomly picked a 6-digit number, i.e. 338625, and started the password reset process using a brute forcing script against all those usernames in his list, hoping that this number had been assigned by Facebook to someone in his list of 2 million usernames.
Gurkirat practically executed this thing and managed to find a right password reset code and username combination that allowed him to reset the password and hijack a random user's Facebook account.
He went to www.beta.facebook.com/recover/password?u=[ID HERE]&n=338625 and I was brought to this page below. Now you get complete access to that random user’s account
Although Facebook has patched the bug after been reported by Gurkirat and rewarded him $500 (that's little less), Gurkirat has doubt that the patch is not "strong enough to mitigate this vulnerability."
However, Facebook provides you an extra layer of security to protect your account against such attacks.
Enable Login Approvals: Users are recommended to enable "Login Approvals" as an extra layer of security in order to prevent their Facebook accounts against these kinds of attacks.
Enable Login Notification Alerts: Facebook also provides a security feature, "Login Alerts," that send you an email or SMS whenever it suspects an unauthorized user is accessing your account.
Pretty much so low reward, there might be similar attack are in the hands of private sector that pay more...
source: HackerMoon
The issue, Gurkirat (@GurkiratSpeca) says, actually resides in the way Facebook allows you to reset your password. The social network uses an algorithm that generates a random 6-digit passcode ‒ that's 10⁶ = 1,000,000 possible combinations ‒ which does not change until gets 'used' (if you request it from mbasic.facebook.com).
"That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned," Gurkirat explains in a blog post.
Gurkirat first collected valid Facebook IDs by making queries to Facebook Graph API starting with 100,000,000,000,000, since Facebook IDs are generally 15-digit long and then visited www.facebook.com/[ID] with a valid ID number in place of [ID].
Once entered, the URL automatically redirected and changed the Facebook ID to the user's username. In this way, first, he was able to make a list of 2 Million valid Facebook usernames.
"I first reported this bug on May 3, 2016, but Facebook didn't believe me such large-scale execution could have been possible. They wanted proof," Gurkirat told The Hacker News. "So I spent close to a month learning and building the infrastructure to target a batch of 2 million Facebook users. I then re-submitted this bug, and they agreed that it indeed was an issue."
Then using a script, hundreds of proxies and random user-agents, Gurkirat automatically initiated the password reset requests for those 2 million users, each assigned a 6-digit password reset code, thus consuming the complete 6-digit range.
Gurkirat then randomly picked a 6-digit number, i.e. 338625, and started the password reset process using a brute forcing script against all those usernames in his list, hoping that this number had been assigned by Facebook to someone in his list of 2 million usernames.
Gurkirat practically executed this thing and managed to find a right password reset code and username combination that allowed him to reset the password and hijack a random user's Facebook account.
He went to www.beta.facebook.com/recover/password?u=[ID HERE]&n=338625 and I was brought to this page below. Now you get complete access to that random user’s account
Although Facebook has patched the bug after been reported by Gurkirat and rewarded him $500 (that's little less), Gurkirat has doubt that the patch is not "strong enough to mitigate this vulnerability."
"I would have never imagined that a company as big as Facebook would be susceptible to sheer computing power. The efficacy of the bug I found relied on just that," Gurkirat told the Hacker News.
"I was informed by Facebook that the patch has been applied and that they have started throttling aggressively per IP address. Given a much larger pool of IP addresses that can simulate a global network flow combined with little social engineering, I still doubt if their patch is strong enough to mitigate this vulnerability."
However, Facebook provides you an extra layer of security to protect your account against such attacks.
Enable Login Approvals: Users are recommended to enable "Login Approvals" as an extra layer of security in order to prevent their Facebook accounts against these kinds of attacks.
Enable Login Notification Alerts: Facebook also provides a security feature, "Login Alerts," that send you an email or SMS whenever it suspects an unauthorized user is accessing your account.
Pretty much so low reward, there might be similar attack are in the hands of private sector that pay more...
source: HackerMoon
No comments
Post a Comment