White Hat Shows Exploit to Hack Any Facebook Account | Hacked: Hacking Finance
user

White Hat Shows Exploit to Hack Any Facebook Account

Introduction

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.


LATEST POSTS

Total Coverage 22nd August, 2017

ChronoPay Looks to Kickstart Bitcoin Adoption in Russia 29th May, 2017

Communication

White Hat Shows Exploit to Hack Any Facebook Account

Posted on .
This article was posted on Tuesday, 19:22, UTC.

An Indian white hat hacker has revealed a vulnerability that granted him the means to hack into any Facebook user’s account. However, being the white hat that he is, the hacker promptly alerted Facebook who duly granted him a bug bounty of $15,000. It’s a good thing he’s a white hat, he could’ve made millions as a malicious hacker.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Security researcher Anand Prakash from Bangalore, India has revealed a proof-of-concept hack that enabled him to plausibly hack any Facebook user’s profile. The ‘simple vulnerability’ as he called it, was revealed in a blog post that’s scarily titled “How I could have hacked all Facebook accounts.”

In the blog post, the white hat claimed that he gained full access to another user’s Facebook account without the need for any interaction. The means to gain access was achieved through resetting a new password. The flaw, Prakash discovered, was the way in which certain Facebook-beta URLs were lacking routine cybersecurity measures.

With the exploit, Prakash was able to view a profile’s messages, credit/debit card details stored in the payments section of the profile, personal photos and more. Essentially, he had gained complete access to the account.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

The Facebook Hack

Facebook routinely texts or emails a one-time password in the form of a six-digit confirmation code to users who seek to reset their passwords, usually after forgetting the password.

Once the code is delivered, Facebook allows the user a limited number of attempts to enter the code correctly, as a security measure. This is called rate-limiting. The method is to prevent identity theft hackers from gaining access to a user’s account if they were allowed unlimited attempts to enter the reset code for a new password. Unlimited attempts, by way of brute force techniques.

While Facebook’s main website unsurprisingly implements rate-limiting, its beta websites (beta.facebook.com), do not. When Prakash discovered this, he proceeded to brute force his ways with an unlimited number of attempts with multiple attempts to gain access to the account. His proof of concept is shown below.

Prakash revealed that he notified Facebook of the vulnerability on February 22nd before the fix was then verified by the researcher the very next day. Come March 2, a bounty of $15,000 was awarded to the Indian white hat.

For saving the social media company from a huge PR disaster, his alert was worth a whole lot more than the $15,000.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.

Comments
  • user

    AUTHOR Kim George

    Posted on 8:51 am September 20, 2016.

    In need of any genuine hacker, kindly contact [email protected] or call +1 7242091657 for any type of hacking services such as Facebook, yahoo, gmail, mobile phone, game, upgrading scores, lease penetration, SQL, DB, Skype, instagram, websites, software testing . He’s just a cyber guru, he would definitely get your work done, he did a great job for me, I can’t stop thanking him, for now he’s the best hacker.

  • View Comments (1) ...
    Navigation
    The team:
    Dmitriy Lavrov
    Analyst
    Dmitriy Lavrov is a professional trader, technical analyst and money manager with 10 years of trading experience. He covers Forex, Commodities and Cryptocurrencies. He is among the top 10 most Read More
    Jonas Borchgrevink
    Founder
    Jonas Borchgrevink is the founder of Hacked.com and CryptoCoinsNews.com. He is a serial entrepreneur, trader and investor. He shares his own personal journey on Hacked.com. // -- Discuss and ask Read More
    Mate Csar
    Analyst
    Trader and financial analyst, with 10 years of experience in the field. An expert in technical analysis and risk management, but also an avid practitioner of value investment and passive Read More
    Mati Greenspan
    Analyst
    Senior Market Analyst at Etoro.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Important: Never invest Read More
    Rakesh Upadhyay
    Analyst
    Rakesh Upadhyay is a Technical Analyst and Portfolio Consultant for The Summit Group. He has more than a decade of experience as a private trader. His philosophy is to use Read More
    Pamela Meropiali
    Account Manager
    Pamela Meropiali is responsible for users on Hacked.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Read More
    Joseph Young
    Journalist
    Joseph Young is a finance and tech journalist & analyst based in Hong Kong. He has worked with leading media and news agencies in the technology and finance industries, offering Read More
    Romanian hacker Marcel Lehel, also known by his hacker handle…