A security researcher says he found a bug that would enable hackers to access any Facebook profile.
Anand Prakash, a computer engineer from Indian company Flipkart, says he was easily able to access other Facebook profiles without a password by carrying out what is known as a ‘brute force’ cyber attack.
When a Facebook user forgets their password, they are asked to enter either their email address, username or telephone number. Users are then given a 6 digit security code which they can use to login to Facebook and recover their password.
Normally sites prevent people from trying to guess other user’s passwords by locking people out of accounts after a certain number of attempts.
However, Prakash discovered that Facebook’s beta website which is used by developers did not place any restrictions on the amount of times someone can attempt to login to account.
Prakash wrote about how he discovered the glitch in a blog post titled ‘How I could have hacked all Facebook accounts’.
Using a specially designed program called Burp Swipe, Prakash was able to rapidly try all password combinations until he was issued with a 6 digit security code. This then meant that he was able to log into an account and enter a new password.
In his blog post he demonstrates how he was able to exploit the bug to gain access to his own Facebook profile.
Fortunately, Prakash alerted Facebook to the glitch and was paid a $15,000 bug bounty for highlighting the problem, which potentially put more than one billion Facebook users at risk.
Facebook has now issued a patch to rectify the issue.
Source: The Hacker News