Background:
- A security researcher, during a break from engineering exams, decided to look for potential security flaws like Account Takeover on Facebook’s login page.
- The researcher found an unnoticed vulnerability in the password reset flow, sparking further investigation.
Technical Details:
- The vulnerability involved a flaw in the password reset process on Facebook.
- By sending a POST request with a dummy 6-digit code to a specific endpoint, the researcher identified a nonce parameter that could be brute-forced.
- The researcher exploited this vulnerability using tools like Burp Suite to guess the nonce value and gain unauthorized access to a user’s account.
- There was no rate limiting on the endpoint, allowing for successful brute-force attacks.
Sample Proof of Concept (POC):
- The vulnerability allowed for a “0-click Account Takeover,” where some users could have their nonce code displayed directly in notifications.
- For other users, a “1-click Account Takeover” required interaction with the notification to reveal the code on a separate screen.
- Facebook acknowledged the severity of the issue and made adjustments to improve security measures.
In summary, the vulnerability in Facebook’s password reset flow exposed a significant security risk, potentially leading to unauthorized account access through a brute-force attack on the nonce parameter. Facebook addressed the issue to enhance protection against such exploits.
Learn more: Link
Leave a Reply