It is currently 20-10-2017 06:30

A vulnerability in the password reset allows you to hack any account Facebook

A vulnerability in the password reset allows you to hack any account Facebook

by sigismund » 2016-08-29 13:43:34


the Problem lies in the algorithm used social media to generate a random six digit password.


A researcher from California Gurkirat Singh (Gurkirat Singh) demonstrated a simple method of hacking any account Facebook working regardless of the complexity of the password and additional protection.

The expert has discovered a vulnerability in the password reset Facebook, proekspluatirovat which the attacker can gain full access to the account of any user to perform various actions, including to view the messages and payment card data, publish information, etc. According to Singh, the attack is quite simple in essence but complex in terms of implementation.
The problem lies in the algorithm used social media to generate a random six digit password (1 million possible combinations). According to Singh, each time the system generates the same password as long as it is used all database.

Code:"Thus, if 1 million users within a short period of time will send requests to reset password, 1,000,0001 people will get a code already used for some accounts," explained Singh.

In the first stage using the Facebook Graph API Explorer has collected a database of valid user IDs to Facebook, since 100,000,000,000,000. Using the page www.facebook.com/[ID], he was able to make a list of 2 million valid logins subscribers sotsresurs. Further, using a script of hundreds of proxies and random User Agent data, Singh initiated automatically requests a password reset for those 2 million users, and selecting one of the received codes (338625), I implemented a brute force-attack with objective to find a combination of username/338625. As a result, the expert was able to reset the password and obtain access to arbitrary accounts Facebook.

Their achievements gave Singh professionals Facebook. The user of the social network has acknowledged the problem and paid the researcher a reward of $500, as they found the vulnerability isn't dangerous enough.

We will remind, in March of this year expert Anand Prakash (Anand Prakash) reported a similar vulnerability in the password reset Facebook allows you to choose a six-digit authentication code using a brute force method.
sigismund
moderators
Сообщений: 788
Депозит: 0 BTC

Rating: 5