{"id":24058,"date":"2024-02-29T04:10:07","date_gmt":"2024-02-29T12:10:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/02\/29\/news-17788\/"},"modified":"2024-02-29T04:10:07","modified_gmt":"2024-02-29T12:10:07","slug":"news-17788","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/02\/29\/news-17788\/","title":{"rendered":"Facebook bug could have allowed attacker to take over accounts"},"content":{"rendered":"\n<p>A vulnerability in Facebook could have allowed an attacker to take over a Facebook account without the victim needing to click on anything at all.<\/p>\n<p>The bug was found by a bounty hunter from Nepal called <a href=\"https:\/\/infosecwriteups.com\/0-click-account-takeover-on-facebook-e4120651e23e\">Samip Aryal<\/a> and has now been fixed by Facebook.<\/p>\n<p>In his search for an account takeover vulnerability, the four times <a href=\"https:\/\/www.facebook.com\/whitehat\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Meta Whitehat award receiver<\/a> started by looking at the uninstall and reinstall process on Android. By using several different <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2017\/08\/explained-user-agent\">user agents<\/a> he encountered an interesting response in the password reset flow.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"416\" height=\"170\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/password-reset-flow.png\" alt=\"Send code via Facebook notification option to reset login\" class=\"wp-image-105526\" \/><\/figure>\n<p>After investigation, a few characteristics of the login code made it an interesting attack vector:<\/p>\n<ul>\n<li>The code was valid for two hours<\/li>\n<li>It did not change during that period when requesting it<\/li>\n<li>There was no validation if you attempted a wrong login code<\/li>\n<\/ul>\n<p>Combined with the fact that these codes are only 6 digits, Samip saw opportunities for a brute force attack, where an attacker repeatedly tries to access login credentials in the hope of eventually getting into an account.<\/p>\n<p>After uncovering all this information, and with his extensive knowledge about the Facebook authentication process, Samip found the method to take over an account was relatively simple:<\/p>\n<ul>\n<li>Pick any Facebook account.<\/li>\n<li>Try to login as that user and request a password reset (Forgot password).<\/li>\n<li>From the available reset options choose \u201cSend code via Facebook notification\u201d.<\/li>\n<li>This creates a POST request. As part of a POST request, an arbitrary amount of data of any type can be sent to the server in the body of the request message.<\/li>\n<li>Copy that POST request and use a method to try all the 100,000 possibilities. Note, 100,000 possibilities may sound like a lot, but given the two hour time-frame there are plenty of options to do that.<\/li>\n<li>The matching code responds with a 302 status code, a redirect that confirms the search was successful.<\/li>\n<li>Use the correct code to reset the password of the account and the attacker can now take over the account.<\/li>\n<\/ul>\n<p>There was one caveat. The owner of the account will see the notification on the device they are logged in with. And strangely enough the notifications came in two flavors.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"502\" height=\"440\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/02\/0click.jpg\" alt=\"The difference in notification that makes the difference between a zer-click or not\" class=\"wp-image-105527\" \/><\/figure>\n<p class=\"has-text-align-center\"><em>The difference in notification which makes it a zero-click or not<\/em><\/p>\n<p>The first one works as described above, but the second one does require the account owner to tap that notification before Facebook generates a login code. That makes it a lot harder to take over the account.<\/p>\n<p>A detailed report of how Samip found the vulnerability is available on his <a href=\"https:\/\/samiparyal.medium.com\/0-click-account-takeover-on-facebook-e4120651e23e\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Medium page<\/a>.<\/p>\n<p>Facebook has awarded Samip a bounty and fixed the issue. Together with <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2021\/04\/interview-with-a-bug-bounty-hunter-youssef-sammouda\">other bounty hunters<\/a>, Samip submitted hundreds of reports to Meta which they resolved, making Facebook and other platforms a safer place along the way. <\/p>\n<h2 class=\"wp-block-heading\" id=\"h-paying-attention-pays-off\">Paying attention pays off<\/h2>\n<p>There are a few takeaways from this method that Facebook users, and users of other platforms for that matter, might use to their advantage.<\/p>\n<ul>\n<li>Pay attention to the signs that a password request has been initiated (email, notifications, texts, etc.) Somebody could be trying to take over your account. Follow the instructions on the password reset notification if it&#8217;s not you doing the reset.<\/li>\n<li><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2019\/07\/cooperating-apps-and-automatic-permissions-are-setting-you-up-for-failure\">Don&#8217;t use the Facebook login option<\/a> on other platforms, and certainly not on ones that have personal or financial information about you.<\/li>\n<li>Turn on <a href=\"https:\/\/www.facebook.com\/help\/148233965247823\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">2FA for Facebook<\/a> to make it harder for criminals to hijack your account.<\/li>\n<\/ul>\n<hr class=\"wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide\" \/>\n<p><strong>We don\u2019t just report on threats\u2014we remove them<\/strong><\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/for-home\">downloading Malwarebytes today<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/02\/facebook-bug-could-have-allowed-attacker-to-take-over-accounts\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> A vulnerability, now fixed, in Facebook could have allowed an attacker to take over a Facebook account without the victim needing to click on anything at all. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[21453,19514,3589,30960,32,26699,30504],"class_list":["post-24058","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-account-takeover","tag-brute-force","tag-facebook","tag-login-code","tag-news","tag-personal","tag-zero-click"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24058","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24058"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24058\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24058"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24058"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24058"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}