Facebook paid a record amount to a specialist for finding a vulnerability that gave access to any account.
Nepalese cybersecurity researcher Sameep Aryal made history when he discovered a vulnerability in Facebook's password reset system that allowed an attacker to take over any account without any action on the part of the victim.
The discovery not only earned Aryal a record reward from the company, but also the highest position in the Facebook Hall of Fame among white hackers for 2024. The amount of the reward, however, remains unknown.
Aryal revealed that Facebook's password reset feature did not have a limit on the number of code request attempts, which made it possible to conduct attacks without user involvement. An attacker could send a password reset request and use brute force to select a 6-digit security code.
Aryal's research showed that when resetting a password via Android Studio, the user was prompted to receive a security code via a Facebook notification, and the code remained valid for 2 hours, even if unsuccessful attempts were made to enter it. Aryal noted that unlike resetting via SMS, the code was not canceled after several erroneous attempts.
For some users, the code is displayed in the notification itself (ZeroClick), and in other cases, the code should be viewed after clicking on the notification (OneClick)
Using the brute force method, Aryal was able to test all possible combinations of codes in an hour, revealing a vulnerability that allows you to display the code directly in the notification without having to click on it. Aryal reported the Facebook flaw on January 30, 2024, and by February 2, the problem was fixed.
Nepalese cybersecurity researcher Sameep Aryal made history when he discovered a vulnerability in Facebook's password reset system that allowed an attacker to take over any account without any action on the part of the victim.
The discovery not only earned Aryal a record reward from the company, but also the highest position in the Facebook Hall of Fame among white hackers for 2024. The amount of the reward, however, remains unknown.
Aryal revealed that Facebook's password reset feature did not have a limit on the number of code request attempts, which made it possible to conduct attacks without user involvement. An attacker could send a password reset request and use brute force to select a 6-digit security code.
Aryal's research showed that when resetting a password via Android Studio, the user was prompted to receive a security code via a Facebook notification, and the code remained valid for 2 hours, even if unsuccessful attempts were made to enter it. Aryal noted that unlike resetting via SMS, the code was not canceled after several erroneous attempts.
For some users, the code is displayed in the notification itself (ZeroClick), and in other cases, the code should be viewed after clicking on the notification (OneClick)
Using the brute force method, Aryal was able to test all possible combinations of codes in an hour, revealing a vulnerability that allows you to display the code directly in the notification without having to click on it. Aryal reported the Facebook flaw on January 30, 2024, and by February 2, the problem was fixed.
