2 min read

Serious Flaw in Facebook Allows Arbitrary Account Hijacking

Bogdan BOTEZATU

January 08, 2013

Serious Flaw in Facebook Allows Arbitrary Account Hijacking

Blind trust does not cut it when you`re a social network with a billion active users. That`s what Facebook found out after white-hacker Sow Ching Shiong reported a serious vulnerability that allows virtually anyone to seize control of a user account without knowing the original login password or having access to the victim’s e-mail.

Long story short, Facebook allows a hacked account to apply for a password reset by visiting the facebook.com/hacked section. Directly accessing the link skips the password verification challenge and takes the attacker directly to the new password selection procedure. When the step is completed, the attacker can log into the victim`s account using the newly-changed password, provided they know the victim`s e-mail address.

On the bright side, Facebook automatically sends e-mail notifications whenever the account is changed or when a log-in operation is attempted from a new computer, so they would be notified that someone is logging into their account.

More than that, if the security system detects a significant geographic distance between the location of the last authorized login and the location of the new log-in attempt, it would block the attempt, pending e-mail authorization.

This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report,” noted Shiong in the post.

If you haven`t done so already, and care for the safety of your account, you might want to consider enabling two-factor authentication from the Security Settings section, as shown below.

When enabled, Facebook sends a security code to your mobile phone each time you log into your Facebook account from a new device.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks
Silviu STAHIE

July 27, 2021

1 min read
Patch your iPhones and Macs against "actively exploited" zero-day right now Patch your iPhones and Macs against "actively exploited" zero-day right now
Graham CLULEY

July 27, 2021

2 min read
Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read