Facebook has fixed a simple yet potentially dangerous bug in its beta platform that could allow an attacker to take over another user’s account by brute-forcing the passcode that Facebook sends to users who forget their passwords.
When a Facebook user forgets her password, she is directed to a form to enter either an email address or mobile phone number. Facebook will then send a six-digit code that the user can enter in order to set a new password. The vulnerability stemmed from the fact that Facebook did not set a rate limit for the number of times a user could try and fail to enter the code.
Anand Prakash, a researcher based in India, discovered the bug and found that he could use a brute-forcing tool to try as many combinations as he wanted when entering the code. Once he had the code correct, he could reset the account’s password and full access to the user’s private data.
“I tried to takeover my account ( as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account,” Prakash wrote in a post disclosing the flaw.
The flaw did not affect the main Facebook platform, as the company has a rate limit in place there. Prakash reported the vulnerability to Facebook as part of the company’s security reward program and got a $15,000 bounty.
Facebook is one of a number of social media companies, banks, and other companies that use short codes sent via text or email as a part of a password recovery or authentication process. The system can work well when implemented correctly, but it does have weak spots, as Prakash found.
Image from Flickr stream of Mambembe Arts and Crafts.