Sow Ching Shiong, an independent vulnerability researcher has discovered a Password Reset vulnerability in www.facebook.com, which can be exploited by an attacker to bypass certain security restrictions.
In normal circumstances, an authenticated Facebook user is required to enter his/her current password on the change password page to prevent an unauthorized person from changing the password without the user's knowledge.
However, an attacker can change/reset a user's password without knowing the user's current password by accessing this URL directly: https://www.facebook.com/hacked.
After that, the page will be redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked
Now, the attacker can click "Continue" to change/reset the user's password.
Proof of concept
Step 1: Logon to Facebook and access this URL directly: https://www.facebook.com/hacked. The page will be redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked
Step 2: Click on "Continue" to proceed
Step 3: Enter "New Password" and "Confirm Password" to change/reset the password.
Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.
Facebook White Hat
https://www.facebook.com/whitehat
That's a nice find Sow. Contrats \m/
ReplyDeleteb0nd
nice research,(thumbs up)
ReplyDeletepls hack this account
Deletehttp://www.facebook.com/subair.nmlp
amazing man i just share it
ReplyDeleteFacebook Security Team. I would like to thank them for their quick response to my report. get1000fans.com
ReplyDeletedont work for me
ReplyDeleteHi, this bug has been fixed by Facebook Security Team.
Deletecongratulations for your work :)
ReplyDeleteThanks guys...
ReplyDeleteVery nice research!
ReplyDeletenot work for me guys
ReplyDeleteHi, this bug has been fixed by Facebook Security Team.
DeleteYou idiot. You coulda become a millionaire in so many ways from this instead of reporting it.
ReplyDeleteBecause of guys like you, people are provoked to make crimes. Stop Shortcuts, start helping.
DeleteDoes anyone could help me to find a way or how to hack the password from a facebook user? I need to get inside to the account because this person its sick and its really important the information for our family... I believed that facebook support team will erase or suspend the account if you report them a healthy problem from a user....... Please Please email me (guzmanoctavio@hotmail.com/octguzman@gmail.com) if you can help!! Its just matter of a couple of inbox conversations we need to check...... THANK YOU !!!!
ReplyDeletehelp me to Hack facebook yahoo gmail accounts
ReplyDeletemail me
khaliqdad91@yahoo.com
Fuck you. Why do you get to find such an easy vulnerability and report it for little money? I was on a similar page in the past. I should've found out about this long ago. Instead I do tons of research on facebook and find nothing as serious as a remote password reset vuln. Moron.
ReplyDeleteYou coulda stolen tons of large fanpages with that exploit and sold them for thousands or as traffic.
Most of your vulnerability discoveries, haven't been as serious as this one.
ReplyDeletegreat! congratz
ReplyDeletehttp://www.thehackerspost.com/2013/01/facebook-password-reset-vulnerability.html
Can't get it to work
ReplyDeleteDwayne
nice post!
ReplyDeletehack facebook password online
Hello
ReplyDeleteDear, I Visit the site.& like your site. I welcome My site.Please visit & comment.
Facebook New
Which can be exploited by an attacker Steal Facebook Passwords to bypass certain security restrictions.
ReplyDeleteHome Wellbeing has a wide range of One Stop Home Essentials products that care for the wellbeing of You and Your Loved Ones.
ReplyDeleteThis matter is down to earth, hats off buds out there.
ReplyDeletehow to get facebook likes
Home Lifestyle has a wide range of One Stop Home Essentials products suited for the Active, Busy, Mobile and City Living People, bringing the Quality of Life to a different level.
ReplyDelete