As scary as this may appear to be to Facebook’s security measures, this will not sit well in the face of the public.
In India, a White Hat Hacker proclaims to have found a way in which he is capable of hacking into any Facebook profile he so desires. And just like a good White Hat Hacker should do, he then proceeded to alert the Facebook Corporation, informing them of the notorious loophole found amongst their servers. Facebook eagerly awarded the hacker with a $15,000 Bug Bounty; seemingly small, considering the wide spread of profiles that can be hacked.
The White Hat Hacker known as Anand Prakash, is a security engineer from India. After the bug find of Facebook’s server(s), he went on to writing a blog entitled How I could have hacked all Facebook accounts.
It was during this blog, which he proceeded to exploit the Facebook’s “Forgot Password?” algorithm. By lurking deeper into Facebook’s forgot password system, he was able to force his way into several accounts. As proof of concept, Prakash posted a video of his victim’s profile of the exploit. He would also include a screen shot boasting about the Bug Bounty payment from Facebook.
As you probably know, when you forgot your password on Facebook, the company sends you a 6 digit numbered combination in order to gain access to your account. However, the problem with this algorithm is that the beta version (beta.facebook.com) does not provide any rate-limiting functionality. Thus, allowing our White Hat Hacker friend to brute-force his way into any account. Once Prakash was in your account, he had full control over everything, from reading messages, to posting and deleting friends and pictures.
Here we can watch the whole video of the exploit happening from YouTube:
This article (Guy figured out how to Hack any Facebook Profile) is a free and open source. You have permission to republish this article under a Creative Commons license with attribution to the ITNinja and AnonHQ.com.