A TECH ENGINEER has demonstrated how he could access anyone's Facebook account without so much as a password thanks to a vulnerability in the password recovery process.
Anand Prakash, from Indian e-commerce company Flipkart, was able to use brute-force attacks to gain access to accounts and then change the passwords.
The scam works like this. Tell Facebook you forgot your password. It sends you a six-digit code to authenticate that you did indeed request the new password. If you get the six-digit code wrong, the account locks after a number of attempts.
The problem was that the Facebook beta site didn't have the same safeguard. Prakash used a piece of software called Burp Suite to bombard the system until a code worked, and then changed the password.
This system allowed Prakash to log-in to Facebook profiles, access all manner of information, and post status updates on behalf of the page owner. He was even able to access credit card information, meaning that players of Farmville and Candy Crush are particularly vulnerable.
This could have been a disaster had it been exploited in the wild as Facebook Messenger allows the sending of money peer-to-peer.
Prakash told the Daily Torygraph that the vulnerability was "very easy to exploit" providing you have the username of your intended victim, which you can get very easily from looking at their profile.
Fortunately, the problem has since been resolved and your data is safe once more, but it's a pretty big goof on the part of Facebook not to ensure that the public-facing beta wasn't afforded the same protection as the main site. µ
To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference, taking place on 24 November.
Hold the front page
Bluesky's the limit
Might need to come up with a better name though
There's an app for *that*