Facebook account hack could have been a very easy task. A white hat hacker who belongs to California fully explained that how someone can hack Facebook account. He explained that this can be done by exploiting password reset bug in Facebook. He managed to get 2 Million valid Facebook account ID’s for this purpose. Then he made a password reset request for all the accounts. He brute force a random 6 digit pass-code and found a victim Facebook account.
Who is a White hat hacker?
Many of the hackers search for negative purposes on the web. They often search for “How to hack Facebook account?” and found ready scripts with malware inside. When they run it on their computer, they themselves become a victim of it.
On the other hand, white hat hackers try to enhance the security. They reports bugs and vulnerabilities in any software to protect the user’s privacy to go in the wrong hands. If there claim about the security loophole is valid then they are also awarded some bug bounty from that organization.
How do password reset bug works?
While explaining in detail he revealed the bug in his blog post. He said that when a user requests for password reset, then according to the Facebook algorithm the user’s gets a random 6 digits number.
Now if there are only 6 digits in the pass-code then the number of possible combinations could be 2^6 = 1,000, 000. So if 1 million users requests for password reset within a short time period and none of them uses that pass-code, then 1,00,0001th user will get the pass-code that is assigned to one of the users in previous 1 million.
Facebook account hack by exploiting Facebook password reset bug?
Gurkirat Singh collected 2 million valid Facebook user ID’s using Facebook Graph API. As the user ID’s are 15-digits long, Singh made 10^15 queries to Graph API for user ID’s and successfully found 2 M.
He made password reset requests for 2 million users using a script he wrote. Requests were made in a very short time and consumed all the 6 digits range. To avoid blocking the IP address by repeatedly sending the password requests, he used a proxy server. Using proxy server each HTTP request was made from a different IP address and looks like valid HTTP request from different computers.
Here is what he have to do to run his script:
“Got a free trial of Google Compute Engine and hosted my scripts on a virtual machine. I set up 8 VMs (12 cores/20 GB RAM each) over 4 different regions and instantiated 180 PhantomJS instances per VM for full CPU utilization. Then I let all my scripts do their thang!”
So after doing that he just picked a random 6-digit reset code and brute force on 2 million Facebook ID’s and guess what, he found the match! He got full access to that user’s account. It must have been a great moment for him to exploit this vulnerability.
Facebook rewarded him with only $500 bounty amount by considering it a low priority bug report. He also highlight that this reaction of Facebook on his findings.
ATTENTION! This information is only for educational purposes, so don’t use is for negative ones.
If you find this article informative, then don’t forget to give us your feedback by commenting below and share this information with others to spread the knowledge!