"Meta Patches Facebook Account Takeover Vulnerability"

Meta recently patched a critical vulnerability that could have been exploited to take control of any Facebook account.  The security researcher who found the flaw noted that the vulnerability impacted Facebook’s password reset process, specifically an option where a six-digit unique authorization code is sent to a different device the user is logged into.  This code is provided to confirm the user’s identity and is used to complete the password reset process.  An analysis of the request sent by the browser when this password reset option was used revealed that the unique code was active for roughly two hours, and there was no brute-force attack protection.  The researcher noted that the attacker would only need to know the targeted individual’s username and they could have used a pentesting tool such as Burp Suite to brute-force the six-digit code, which would allow them to reset the targeted account’s password or simply log into it.   The researcher said he reported his findings to Meta on January 30, and the issue was patched by February 2.  According to its payout guidelines, Meta is prepared to pay between $5,000 and $130,000 for account takeover exploits, depending on the impacted component and the number of clicks required to execute the exploit.  A zero-click account takeover exploit can earn researchers up to $130,000. 

 

SecurityWeek reports: "Meta Patches Facebook Account Takeover Vulnerability"

Submitted by Adam Ekwall on