Very often ‘aspiring’ hackers search for the term ‘how to hack Facebook accounts.’ They also become a victim of vicious malware while looking for easy-to-use Facebook hack exploit kits. On the other hand, there are white hat hackers who keep looking for Facebook bugs using their hacking skills and report them to Facebook.
Once such account was recently published by security researcher Gurkirat Singh. In a blog post, he wrote about a security loophole in Facebook’s password reset mechanism that could have given him a complete access to the target’s Facebook account. By doing so, he could’ve viewed many users’ all private messages, view card details, or anything else.
Facebook’s password reset bug — Explained
Explaining the bug, he tells how Facebook allows you to reset your Facebook password. The social networking website makes use of an algorithm to generate a random 6-digit passcode i.e. 10⁶ = 1,000,000 possible combinations. Interestingly, this code doesn’t change (if requested frommbasic.facebook.com) until it gets used.
So, if 1 million people request a password reset within a short period of time and no one uses the reset code, then 1,00,0001th person to request code will get a previously assigned number.
How to hack Facebook accounts by exploiting password reset bug?
To hack Facebook accounts and prove his point, Gurkirat collected 2 million valid Facebook IDs. He did so by making queries to Facebook’s Graph API starting with 100,000,000,000,000. This way, he easily got profile picture and full name of 2 million users.
Then, Gurkirat used a script to initiate the password reset request for those 2 million users. This process consumed the complete 6-digit range. In order to avoid getting his IP blocked from repeatedly sending password reset requests, he used a proxy server that assigned random IP addresses to each HTTP request.
Gurkirat was making 923 HTTP requests per second using his 8 virtual machines
Here’s the huge amount of preparation done by him to run his script:
“Got a free trial of Google Compute Engine and hosted my scripts on a virtual machine. I set up 8 VMs (12 cores/20 GB RAM each) over 4 different regions and instantiated 180 PhantomJS instances per VM for full CPU utilization. Then I let all my scripts do their thang!”
The next step involved picking up a random 6 digit password and brute forcing all the users in list database. In his words — “And guess what? I was able to find a matching ID.” Thus, he was able to get the complete access to a random user’s Facebook account.
Facebook has patched this bug after Gurkirat’s report and award him just $500 bounty. Gurkirat writes that despite being a critical bug, Facebook labeled his finding as low priority.
Here’s what Gurkirat has to say:
“At it stands, this critical bug which lets you gain complete access to someone’s account is Facebook’s low priority (don’t know why).
Important: Please note that this article is only for educational purposes.
You can read Gurkirat’s complete account here.
Did you find this article interesting? Don’t forget to drop your feedback in the comments section below.
Comments
Post a Comment