January 10, 2013 Mohamed Ramadan

The Most Critical Flaw in Facebook Worth just $500 USD !!

Hi Everyone

I Have Contacted the Security Researcher ( Sow Ching Shiong ) who found the most critical flaw in Facebook , this bug enabled any hacker to change your password without any need to know your current or old password !

yeah just like that , very simple very dangerous :)

he wrote a post in his blog about the vulnerability 

Facebook Bug #4: Password Reset Vulnerability Found in www.facebook.com

Facebook fixed the vulnerability and rewarded him with just $500 USD !!!

FYI this bug was being sold in black market for $4000 USD according to this blog

http://krebsonsecurity.com/2013/01/facebook-yahoo-fix-valuable-ecurity-hole/

you can see the reply from facebook :

 

the wired thing that in first they told him it is not a security bug ! and they ignored it !!!

After providing the attack scenarios, POC and clarifications from the dev team, then only they accepted it as a valid bug. !

I think they should reconsider the bounty and raise it to $10000 USD or Higher.

this vulnerability is more dangerous than XSS and CSRF because you don’t need to send ANYTHING to the victim or even make any contact with the Victim all you need is the Victim name .

Tell Us what do you think about this issue ? do you think it is fair ?

UPDATE :

i got more information from the security researcher who found and reported the flaw to Facebook

 

 

First: They don’t see it as a valid bug.

 

 

Second: They are unsure that the bug is a privacy or security issue.
As such, the bug I reported does not qualify as a part of the bug
bounty program.

 

 

 

Yes, it’s not the most critical vulnerability. There are 3 attack scenarios:

First scenario:
A local attack, where a user has forgotten to lock their desktop or laptop.

Second scenario:
An internal attack, where the user’s session ID could be sniffed
because Facebook does not using HTTPS by default, could allow the
malicious attacker to hijack the session.

Third scenario:
An external attack could have leveraged an XSS or clickjacking flaw to
steal the session ID.

Once the password has been changed, what the attacker can do is:
1) Change the victim’s password for at least 2 times so that the
victim cannot recover his/her password by entering old password to get
back the account.
2) Change all the primary/secondary email address or mobile number to
the attacker one to prevent the victim to get back the account.

Although the victim still can fill up the online form and inform
Facebook that their account has been compromised but it might take
some time for Facebook to review the form. By that time, the victim’s
personal information has been stolen or account can be deactivated.

Comments (3)

  1. thehackerspost

    Thats not fair. If this guy sale it in UG market, he gonna get thousands of dollars, FB should reconsider this bounty :)

  2. ahmed hassan

    what????????? are they earnest !!!!!! 500 USD ??? this one of the most Critical Flaw in Facebook

Leave a Reply

Awesome Security Courses from Egypt

Get in touch with us!