Facebook has patched a security hole that could have allowed an attacker to hack into any other user's account.
Anand Prakash, a product security engineer at Indian ecommerce company Flipkart, explains in a blog post that Facebook enables a user to reset their password by entering in their email address or phone number at this URL: https://www.facebook.com/login/identify?ctx=recover&lwv=110.
Once the user enters in their personal information, Facebook sends a 6-digit code to their phone number or email address. This code allows them to sign into their account and reset their password.
Prakash was curious as to whether he could brute force this 6-digit code on www.facebook.com, but he was (quite rightly) blocked after 10-12 invalid attempts.
That's when the security engineer had an idea.
"Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com, and interestingly rate limiting was missing on forgot password endpoints. I tried to takeover my account (as per Facebook's policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account."
Prakash demonstrates the technique in a YouTube video:
At the heart of Prakash's exploit is a simple three-line vulnerable request sent out using Burp Suite:
POST /recover/as/code/ HTTP/1.1
Armed with the knowledge of a Facebook user's phone number, email address, or user name, pieces of information which to varying extents are all publicly available, the engineer used his brute force technique against Facebook's beta site - which is designed for software developers but accessible by everyone.
Cycling through all the possible six digit codes, he found that the beta site did not limit his attempts - and he could have gained access to any other user's messages, attached payment card information, and personal photos.
Prakash reported the vulnerability to Facebook on February 22nd. A day later, he confirmed that Facebook had patched the issue. He has since received US $15,000 for reporting the bug responsibly.
The simplicity of this hack has caused some to expressed concern about Facebook's beta site, as University of Surrey cybersecurity expert Professor Alan Woodward explained to The Telegraph:
"It was surprisingly simple, you’d have thought someone would have picked up on it now. You would think sites would allow you to have five attempts and then lock you out, it’s pretty standard practice."
As a result, it's to be hoped that Facebook will spend the next few weeks combing through its beta site for other simple yet severe bugs.
One thing needs to be pointed out. Although it is not covered in the engineer's post, an account set up with two-factor authentication (2FA) could potentially have foiled the exploit. If the beta site did recognize this feature at the time of the attack, a second layer of authentication could have forced the attacker to repeat the exploit, only this time, they would have needed to crack the security code before it expired in 30 seconds.
Two-factor authentication is crucial when attackers can use simple exploits like Prakash's code to reset your passwords. With that in mind, if any of your online accounts allow for 2FA, I suggest you set it up if you have not already done so.
If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.