Facebook accounts were vulnerable to zero-click takeovers


A security bug on Facebook allowed full account takeovers with zero user input. Hijackers were able to request a password reset and brute force 6-digit security codes for two hours.

Samip Aryal, a security researcher and bounty hunter from Nepal, found a way to compromise anyone’s Facebook account. This responsible disclosure and three other awards put him at the top of Facebook’s Hall of Fame for white-hat hackers. Facebook fixed the issue on February 2nd.

Aryal found a way to abuse Facebook’s password reset functionality without rate-limiting, meaning that hackers had two hours to check possible combinations of 6-digit numbers, from 000000 to 999999. Aryal shared the findings in a blog post about his “highest-paid” report.

fb-reset

While that “may sound like a lot, given the two-hour time-frame, there are plenty of options to do that,” researchers from Malwarebytes confirmed.

Aryal found a vulnerable endpoint testing uninstallation-installation of several versions of Facebook on Android Studio, believing that different user agents might receive different server responses on each login page.

In one instance, he received a pop-up in the password reset flow, offering Facebook users to send a security code via Facebook notification. It turned out that the code was active and didn’t change for about two hours despite incorrect combinations being inputted.

“I didn’t see any sort of code invalidation after entering the correct code but with multiple previous invalid tries (unlike in the SMS reset functionality),” Aryal said when explaining how he discovered the zero-click account takeover method.

All hackers had to do was to choose any Facebook user account, go to its password reset flow, choose “Send code via Facebook notification,” try any code to receive server response, and then brute force their way into hijacking the account in two hours. The security researcher shared a few methods of how abusers could do that.

Aryal noted that Facebook application users would receive a notification that would display them a six-digit code directly or prompt them to “tap to see the login code.”

fb-code

“I wasn’t searching for any unique bugs for several months. It started when, one day, during my engineering board exam, I was like… Let’s search for Account Takeover,” the researcher said.

“I needed a fresh untouched/hidden/unnoticed endpoint to look for. And when it’s about an “untouched endpoint,” I thought looking on the web is like nah.. Everybody looks on the web. So I started my Android Studio setup, jumped into Facebook’s main login page, and tried looking for one.”