I Have Contacted the Security Researcher ( Sow Ching Shiong ) who found the most critical flaw in Facebook , this bug enabled any hacker to change your password without any need to know your current or old password !
yeah just like that , very simple very dangerous
he wrote a post in his blog about the vulnerability
Facebook fixed the vulnerability and rewarded him with just $500 USD !!!
FYI this bug was being sold in black market for $4000 USD according to this blog
you can see the reply from facebook :
the wired thing that in first they told him it is not a security bug ! and they ignored it !!!
After providing the attack scenarios, POC and clarifications from the dev team, then only they accepted it as a valid bug. !
I think they should reconsider the bounty and raise it to $10000 USD or Higher.
this vulnerability is more dangerous than XSS and CSRF because you don’t need to send ANYTHING to the victim or even make any contact with the Victim all you need is the Victim name .
Tell Us what do you think about this issue ? do you think it is fair ?
i got more information from the security researcher who found and reported the flaw to Facebook
First: They don’t see it as a valid bug.
Second: They are unsure that the bug is a privacy or security issue.
As such, the bug I reported does not qualify as a part of the bug
Yes, it’s not the most critical vulnerability. There are 3 attack scenarios:
A local attack, where a user has forgotten to lock their desktop or laptop.
An internal attack, where the user’s session ID could be sniffed
because Facebook does not using HTTPS by default, could allow the
malicious attacker to hijack the session.
An external attack could have leveraged an XSS or clickjacking flaw to
steal the session ID.
Once the password has been changed, what the attacker can do is:
1) Change the victim’s password for at least 2 times so that the
victim cannot recover his/her password by entering old password to get
back the account.
2) Change all the primary/secondary email address or mobile number to
the attacker one to prevent the victim to get back the account.
Although the victim still can fill up the online form and inform
Facebook that their account has been compromised but it might take
some time for Facebook to review the form. By that time, the victim’s
personal information has been stolen or account can be deactivated.