Learn more
We figured out a way to hack any of Facebook’s 2 billion accounts
Security Research

We figured out a way to hack any of Facebook’s 2 billion accounts

This post is about a simple vulnerability I discovered on Facebook which I could have used to hack into other users’ Facebook accounts easily and without any user interaction.

Anand Prakash
March 25, 2021

We are publishing this with the permission of Facebook under the responsible disclosure policy. They have fixed this vulnerability.

This post is about a simple vulnerability I discovered on Facebook which I could have used to hack into other users’ Facebook accounts easily and without any user interaction.

This gave me full access to other users account by setting a new password. I was able to view messages, their credit/debit cards stored under their payment section, personal photos, and other private information.

Facebook acknowledged the issue promptly, fixed it, and rewarded me with a US $15,000 bounty based on the severity and impact of this vulnerability.

How the hack worked

Whenever a user Forgets their password on Facebook, they have an option to reset the password by entering their phone number and email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110.

Facebook will then send a 6 digit code to this phone number or email address which the user has to enter in order to set a new password.

I tried to brute force the 6 digit code on www.facebook.com and was blocked after 10–12 invalid attempts.

Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com. Interestingly, rate limiting was missing from forgot password endpoint.

I tried to take over my own account (as per Facebook’s policy, you should not do any harm any other users’ accounts) and was successful in setting a new password for my account. I could then use this same password to log into my own hacked account.

A proof of concept video of the hack

As you can see in the video, I was able to set a new password for the user by brute forcing the code which was sent to their email address and phone number.

Vulnerable request

POST /recover/as/code/ HTTP/1.1

Host: beta.facebook.com

lsd=AVoywo13&n=XXXXX

Brute forcing the “n” successfully allowed me to set new password for any Facebook user.

Disclosure Timeline

Feb 22nd, 2016 : Report sent to Facebook team.

Feb 23rd, 2016 : Verified the fix from my end.

March 2nd, 2016 : Bounty of $15,000 awarded by Facebook

ABOUT THE AUTHOR
Anand Prakash

Anand Prakash is a prolific security researcher who is famous for finding bugs in some of the world’s most popular apps and websites. He thrives off of “bug bounties” — large cash prizes he earns from companies in exchange for successfully hacking their systems and showing them their security flaws. Anand is supremely good at what he does, having discovered vulnerabilities at companies like Facebook, Twitter, and Uber. For the past 5 years, Facebook’s has ranked Anand as one of their top bounty hunters.And on Twitter’s bounty program, he’s ranked #3 world-wide. Anand’s reputation as a hacker has lead to him being featured in last year’s Forbes “30 under 30” for enterprise technology in Asia. And a major Indian news website declared Anand “one of India’s best known white hat hackers.”‍

Enjoyed this read?

Stay up to date with the latest security research by PingSafe team.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.