Sow Ching Shiong, an independent vulnerability researcher has discovered a Password Reset vulnerability in www.facebook.com, which can be exploited by an attacker to bypass certain security restrictions.
In normal circumstances, an authenticated Facebook user is required to enter his/her current password on the change password page to prevent an unauthorized person from changing the password without the user's knowledge.
However, an attacker can change/reset a user's password without knowing the user's current password by accessing this URL directly: https://www.facebook.com/hacked.
After that, the page will be redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked
Now, the attacker can click "Continue" to change/reset the user's password.
Proof of concept
Step 1: Logon to Facebook and access this URL directly: https://www.facebook.com/hacked. The page will be redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4yaoBr7RzMsuL_ZMEvcH9bFMGg83SeUt5iriyjrAIiFthPiccS4cCzgVK1q794VB2-8AAcrtiZBRTgkx8WYnW8FFikSrofo2A82qXy4cQ6d19fku1d9kU9zXp_62NENApwWy42XMMv3FS/s400/Step+1.png)
Step 2: Click on "Continue" to proceed
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDmXaL5jP9b3b0HnaVVbYJqpRFzZC64QU2oxjYKasTNsUkqi-6jqpUJb0Lxy01wQODDaT-1bamXHrtKwEbXMaIPaPI2ddSMKd2qCwDKUIGVJSm3YvaAnWUplsObQrhdBYIazPa-mL9HXuY/s400/Step+2.png)
Step 3: Enter "New Password" and "Confirm Password" to change/reset the password.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAx3mEmkjrVi2HTL0WmAY4n6vE6JPN4OS-KdOdn_OO3k7-sSJcbJoLWXPnjWkS3MEO7R8x5koXSIwbcQkBjQCfntL27-2sK-CTPa6fTnZcJgr1iLJRBfitHS9gjLqhUbfUZEe2VxJCHbJe/s400/Step+3.png)
Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.
Facebook White Hat
https://www.facebook.com/whitehat
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.