Researcher Samip Aryal has uncovered a vulnerability in Facebook’s account takeover process that exists within the password reset flow. This vulnerability is related to specific endpoint traffic rate limiting, allowing attackers the opportunity to exploit dynamic passwords through brute force and gain control over any Facebook account, potentially without user interaction.
Aryal discovered that during the password reset process on Facebook, one of the verification methods involves sending a 6-digit verification code to the user’s other logged-in devices. However, this code remains valid for an extended period of 2 hours and is not protected by any brute force attack prevention mechanism. Consequently, once an attacker obtains the target’s Facebook account, they can potentially use penetration testing tools like Burp Suite to crack the aforementioned verification code, thereby altering the password or hijacking the account. The researcher noted that when this vulnerability is exploited, the victim’s device receives a pop-up notification, which may directly display the verification code or prompt the user to click the notification message to view it.
The researcher reported this vulnerability to Meta on January 30th, and it was patched on February 2nd. The severity of this vulnerability can perhaps be inferred from the bounty awarded by Meta, although the researcher did not disclose the amount. They mentioned that this was the highest bounty they have received from Meta so far.