Hacker Wins Bug Bounty After Exposing Critical Facebook Security Flaw

A hacker from California has revealed a trick which could allow him to hack into a user’s Facebook account and gain complete access to it.

Learning to hack a Facebook account is one of the first things people want to learn. Many try their hand at this to gain complete access to someone’s Facebook profile. One California-based hacker tried his method, and subsequently discovered a method that exploits Facebook’s password reset mechanism to hack into anyone’s Facebook profile.

Read: Some social engineering skills and Facebook will gift your account to hackers

Gurkirat Singh has revealed that he discovered a way to gain access to anyone’s Facebook profile using a flaw in the social networking site’s password reset mechanism. He said that the only way for anyone to reset their Facebook password is to use a randomly generated 6-digit code which Facebook provides them with once they request a password reset.

The algorithm behind it produces a truly random number. But the fact that it is a 6-digit code means that there are a possible 106 = 1,000,000 combinations. These remain the same until they are used. Gurkirat exploited this fact.

According to him, Facebook needs to store duplicate codes for multiple users if more than 1,000,000 users request a password reset. This means that more than two people have the same passcode. To use this for his purpose, Gurkirat Singh devised a way to send in 2 million password change requests to Facebook

He mentions that doing so is not simple, for it requires a way to change your IP to avoid being blocked by the company, as well as access to 2 million Facebook IDs. Since Facebook IDs are 15-digit long, Singh used 1,00,000,000,000,000 and made queries to Facebook Graph API to see which IDs were valid. This can only be done through authorized apps, and once a match is found, you can enter the ID in the URL like www.facebook.com/. The URL then automatically changes the ID to the username. This data was compiled into a JSON by Singh.

To handle the problem of IP changing, Gurkirat Singh simply used a proxy server that listened to HTTP Requests and then assigned a random IP address to each request. He used a multithreaded script to simulate user behaviour when a passcode is required. The script requests a passcode to every user in the JSON file created earlier. Then the scripts were run to make the requests. It looked like this:

Hacker Discloses Trick behind Hacking Multiple Facebook Accounts 1

After doing so, the 6-digit passcode needs to be matched using the Brute force technique. Singh added ID to the key ‘u’ and the successfully matched passcode to the key ‘n’ in the URL as www.beta.facebook.com/recover/password?u=…&n=… Doing so returned a match.

Hacker Discloses Trick behind Hacking Multiple Facebook Accounts

Read: Hacking Facebook Account by Simply Knowing Account Phone Number

Once this was done, Singh added this matched passcode to the URL and was redirected to the password reset page. Therefore, he was successful in gaining access to a user’s account using this method. Singh said that the bounty offered to him was a mere $500, as Facebook considered this as a low priority finding.

Related Posts