Monday, January 7, 2013

Facebook Bug #4: Password Reset Vulnerability Found in www.facebook.com

Description
Sow Ching Shiong, an independent vulnerability researcher has discovered a Password Reset vulnerability in www.facebook.com, which can be exploited by an attacker to bypass certain security restrictions.

In normal circumstances, an authenticated Facebook user is required to enter his/her current password on the change password page to prevent an unauthorized person from changing the password without the user's knowledge.

However, an attacker can change/reset a user's password without knowing the user's current password by accessing this URL directly: https://www.facebook.com/hacked.
After that, the page will be redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked
Now, the attacker can click "Continue" to change/reset the user's password.

Proof of concept
Step 1: Logon to Facebook and access this URL directly: https://www.facebook.com/hacked. The page will be redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked


Step 2: Click on "Continue" to proceed


Step 3: Enter "New Password" and "Confirm Password" to change/reset the password.


Conclusion
This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.

Facebook White Hat

https://www.facebook.com/whitehat

77 comments:

  1. That's a nice find Sow. Contrats \m/
    b0nd

    ReplyDelete
    Replies


    1. http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|

      Delete
    2. How To Hack Any Facebook Password:

      http://finalfbelitehack.blogspot.ro Final version of FB Elite Hacker Online ..(unverification doesn`t work with all email)

      Direct Link : http://fbelitehacker.id1945.com

      Delete
    3. Facebook Hacker 2.0 tested %90 works Click Here!!

      Delete
  2. Replies
    1. pls hack this account
      http://www.facebook.com/subair.nmlp

      Delete
  3. Facebook Security Team. I would like to thank them for their quick response to my report. get1000fans.com

    ReplyDelete
  4. Replies
    1. Hi, this bug has been fixed by Facebook Security Team.

      Delete
    2. How To Hack Any Facebook Password:

      http://finalfbelitehack.blogspot.ro Final version of FB Elite Hacker Online ..(unverification doesn`t work with all email)

      Direct Link : http://fbelitehacker.id1945.com

      Delete
  5. Replies


    1. http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|



      http://FbHacker.Pw/



      ==========================|

      Delete
  6. Replies
    1. Hi, this bug has been fixed by Facebook Security Team.

      Delete
  7. You idiot. You coulda become a millionaire in so many ways from this instead of reporting it.

    ReplyDelete
    Replies
    1. Because of guys like you, people are provoked to make crimes. Stop Shortcuts, start helping.

      Delete
  8. Does anyone could help me to find a way or how to hack the password from a facebook user? I need to get inside to the account because this person its sick and its really important the information for our family... I believed that facebook support team will erase or suspend the account if you report them a healthy problem from a user....... Please Please email me (guzmanoctavio@hotmail.com/octguzman@gmail.com) if you can help!! Its just matter of a couple of inbox conversations we need to check...... THANK YOU !!!!

    ReplyDelete
  9. help me to Hack facebook yahoo gmail accounts
    mail me
    khaliqdad91@yahoo.com

    ReplyDelete
    Replies
    1. hey even i want to hack one yahoo mail iid pls help me.. if u have any idea pls send it me.. arumaikani@gmail.com

      Delete
  10. Fuck you. Why do you get to find such an easy vulnerability and report it for little money? I was on a similar page in the past. I should've found out about this long ago. Instead I do tons of research on facebook and find nothing as serious as a remote password reset vuln. Moron.

    You coulda stolen tons of large fanpages with that exploit and sold them for thousands or as traffic.

    ReplyDelete
  11. Most of your vulnerability discoveries, haven't been as serious as this one.

    ReplyDelete
  12. great! congratz
    http://www.thehackerspost.com/2013/01/facebook-password-reset-vulnerability.html

    ReplyDelete
  13. Hello
    Dear, I Visit the site.& like your site. I welcome My site.Please visit & comment.
    Facebook New

    ReplyDelete
  14. Which can be exploited by an attacker Steal Facebook Passwords to bypass certain security restrictions.

    ReplyDelete
  15. Home Wellbeing has a wide range of One Stop Home Essentials products that care for the wellbeing of You and Your Loved Ones.

    ReplyDelete
  16. This matter is down to earth, hats off buds out there.
    how to get facebook likes

    ReplyDelete
  17. Home Lifestyle has a wide range of One Stop Home Essentials products suited for the Active, Busy, Mobile and City Living People, bringing the Quality of Life to a different level.

    ReplyDelete
  18. Social media is a promotional tool that is widely used by large companies, because social media provides many benefits to companies one of which is the company's customer relationship can be established smoothly, then the fan page can also be used by customer so pelaggan feel satisfied and well served. Besides, companies can also promote via facebook or other social media more effectively. http://www.moreviews.net

    ReplyDelete
  19. it is now 100 million facebook users
    on the app "facebook for every phone"

    ReplyDelete


  20. http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|



    http://FbHacker.Pw/



    ==========================|

    ReplyDelete
  21. How To Hack Any Facebook Password:

    http://finalfbelitehack.blogspot.ro Final version of FB Elite Hacker Online ..(unverification doesn`t work with all email)

    Direct Link : http://fbelitehacker.ws43.com/

    ReplyDelete
  22. How To Hack Any Facebook Password:

    http://finalfbelitehack.blogspot.ro Final version of FB Elite Hacker Online ..(unverification doesn`t work with all email)

    Direct Link : http://fbelitehacker.id1945.com

    ReplyDelete
  23. It's fantastic that you simply have gotten thoughts from this post likewise as from our dialogue created here.

    Feel free to surf my page:- Hotmail Technical Support

    ReplyDelete
  24. My friend this tips help for you recover facebook password. First of all, create three new Facebook Accounts and add all these three accounts in your friend’s friend list. If you are done with the first step then you have done 90% of your work. Click on Forgot your Password button. It will show three options to recover your password. In the first option give his Email Address and in the Name field give your Friend’s Full Name, your name and click on Search button. Now if everything goes well you will see the profile picture of that person. Here click on the No longer have access to these. Now Enter your New Email address which doesn’t associated with any facebook account yet and click on Submit button. Now after three unsuccessful attempts, it will ask you to recover your account with trusted friend feature. Click on Continue button.
    pirater un compte facebook

    ReplyDelete
  25. http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    http://FbHacker.Pw



    http://FbHacker.Pw




    http://FbHacker.Pw




    ReplyDelete
  26. Thanks I also share with you something hope you like it Statistically speaking that should probably cover about 20% of you. But don't worry. If I didn't get it yet it will probably only take a few more minutes before I do…Hackers, and I'm not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.
    pirater un compte facebook

    ReplyDelete
  27. Friends .. i want to know how to hack fb account . send me a easy way to hack .. my mail Raviteja.j@hotmail.com

    ReplyDelete
  28. I refused to read the article as I was so outraged by the headline but my response is unambiguous! Before economic development, the people of Africa need to regain confidence in their cultural identity. Why can't we all just get along? Hack Facebook

    ReplyDelete
  29. Quality stuff may be the key to invite the users to visit begin to see the blog site, that’s what this site provides.
    remembrance

    ReplyDelete
  30. Thank you for inafo about Password Reset Vulnerability Found in www.facebook.com!!

    ReplyDelete
  31. If somebody wants expert take on the main topic of blogging next I advise him/her to go to this site, continue the fussy job. pirater un compte facebook

    ReplyDelete
  32. This is an informative blog by which I have got that info which I really wanted to get.
    pirater facebook

    ReplyDelete
  33. No wonder why you receive countless of feedbacks. social media infographics

    ReplyDelete
  34. I have learnt various good stuff right here, and I’m sure everyone will get advantage of it.cambridge

    ReplyDelete
  35. I have been really impressed by going through this awesome blog. comment hacker un compte facebook

    ReplyDelete
  36. You entirely go with our expectation and the range of our information.
    get more likes on facebook

    ReplyDelete
  37. I used to buy diamonds for this game until a friend told me about the Hay Day Hack from here: Clash of Clans Hack It really helped me and I hope it will help you too. It also gave me coins and doubled my experience.

    ReplyDelete
  38. Modern times when internet has so much facility of gossip and stuff, your articles have awfully refreshed me.how to become instafamous overnight

    ReplyDelete
  39. This is very nice blog .and very useful blog .and other information our blog recoveryourpassword

    ReplyDelete
  40. Thanks for providing precious information.
    email support

    ReplyDelete
  41. Wonderful blog & good post.Its really helpful for me...........I read it very seriously
    Visit Also Here:-- Gmail Support Call Toll Free No +1-800-231-4635 For US/CA.

    ReplyDelete
  42. Congrats you individuals are doing with this blog site. Chattanooga Marketing Group

    ReplyDelete
  43. I want more and more articles and blogs please post soon such informative information. best seo company

    ReplyDelete