Wednesday, January 9, 2013

Facebook Password Reset Flaw

Hacker found a way to hack and change your password like, just he used to change his own password. Confused ? Recently Facebook fix a very critical vulnerability on the tip of 'Sow Ching Shiong', an independent vulnerability researcher. Flaw allows anyone to reset the password of any Facebook user without knowing his last password.


At Facebook, there is an option for compromised accounts at "https://www.facebook.com/hacked" , where Facebook ask one to change his password for further protection. This compromised account recovery page, will redirect you to another page at "https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked" .

Researcher notice that the URL of the page having a parameter called "f" which represents your user ID and replacing the user ID with victim's user ID allow him to get into next page where attacker can reset the password of victim without knowing his last password.

The Vulnerability was very simple to execute, but now patched by Facebook Security Team.

Source: thehackernews.com