I tried to take over my own account (as per Facebook’s policy, you should not do any harm any other users’ accounts) and was successful in setting a new password for my account. Interestingly, rate limiting was missing from forgot password endpoint.
Then I looked out for the same issue on and. I tried to brute force the 6 digit code on and was blocked after 10–12 invalid attempts. įacebook will then send a 6 digit code to this phone number or email address which the user has to enter in order to set a new password. Whenever a user Forgets their password on Facebook, they have an option to reset the password by entering their phone number and email address on. I was able to view messages, their credit/debit cards stored under their payment section, personal photos, and other private information.įacebook acknowledged the issue promptly, fixed it, and rewarded me with a US $15,000 bounty based on the severity and impact of this vulnerability.
This gave me full access to other users account by setting a new password. This post is about a simple vulnerability I discovered on Facebook which I could have used to hack into other users’ Facebook accounts easily and without any user interaction.
I am publishing this with the permission of Facebook under the responsible disclosure policy. By AppSecure I figured out a way to hack any of Facebook’s 2 billion accounts, and they paid me a $15,000 bounty for it