– Flaw in the recovery process
Hacking facebook through their reset password
Gurkirat Singh is a security researcher/coder/hacker. In short this is how he managed to hack Facebook (article here).
- First he get’s an idea, that reseting multiple accounts on the same time could cause facebook to resend reset tokens..
- Then he writes a script to crawl* different websites in order to collect facebook accounts
- Each website is scraped*, in order for the script(s) to extract the Facebook ids
- The information then goes through a dat-mining process and ends up as either valid or invalid
- Finally he wrote a script to execute it all, in different regions in order to not get blocked.
*Don’t miss our articles: Web scraping – part 1 | Web scraping – part 2
The hacker also states that he might release the entire source code on his Github account
In order to avoid getting your IP blocked from repeatedly sending requests to send password reset emails, you need rotating IPs. This means that every email request will be sent from a batch of thousands of IP addresses to simulate a normal global network flow. There are several services online that offer this feature. In my case, all network traffic went through a proxy server that listened for HTTP requests and arbitrarily assigned an IP address to each request.
Why Facebook had this vulnerability?
Because user experience is at least as high priority when comparing to security. They just assumed that no-one would try something that is so crazy. They where wrong.
Brilliant hack, we are very impressed at How-To-Hack.net!