How I could have hacked any Facebook account

This post is about a simple vulnerability found on Facebook which could have been used to hack into other user’s Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability.Then i looked out for the same issue on and and interestingly rate limiting was missing on forgot password endpoints. I tried to takeover my account ( as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account.As you can see in the video i was able to set a new password of the user by brute forcing the code which was sent to your email address/phone number. POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.comBrute forcing the “n” successfully allowed me to set new password for any Facebook user.Feb 22nd, 2016 : Report sent to Facebook team. Feb 23rd, 2016 : Verified the fix from my end. March 2rd, 2016 : Bounty of $15,000 awarded.

View the original article here