If you were diligent enough or a really crafty hacker, you could get into anyone’s Facebook account during a brief period of time late last month. A recently discovered bug allowed people to keep guessing someone’s Facebook password until they gained access. Sites usually give users only a handful of attempts before locking the account to make sure unauthorized people can’t get in. Unfortunately, this bug has a work around for it. And it’ll let hackers use computer programs to keep trying a variety of passcodes until they can get in and do things like change the password and access personal details.
The bug was discovered by Anand Prakash on February 22nd, a security researcher from India, and he received $15,000 USD from Facebook for the discovery on March 2nd as part of the company’s bug bounty program. It’s said the bug made use of the way Facebook lets its users get into its account after they lost their password.
You can reset your login on Facebook by entering a phone number or email address where Facebook sends a code instead of your password. You can’t keep entering codes on the main site as you’ll be blocked after the 10th or 12th attempt but in the beta site used by developers this check was supposedly missing. Prakash was able to reset his own password without receiving the code. Facebook says they’ve already fixed this vulnerability.
According to Facebook’s Security Communications rep Melanie Ensign, the bug was supposedly only wild for 72 hours because the beta site is said to be protected by brute force hacks as well that bypass rate-limiting. Unfortunately the error happened during the time Facebook was conducting a system change on the back end, leaving the beta site temporarily vulnerable.
Source: Independent + Gizmodo