Industry News

Serious Flaw in Facebook Allows Arbitrary Account Hijacking

Blind trust does not cut it when you’re a social network with a billion active users.  That’s what Facebook found out after white-hacker Sow Ching Shiong reported a serious vulnerability that allows virtually anyone to seize control of a user account without knowing the original login password or having access to the victim’s e-mail.

Long story short, Facebook allows a hacked account to apply for a password reset by visiting the section. Directly accessing the link skips the password verification challenge and takes the attacker directly to the new password selection procedure. When the step is completed, the attacker can log into the victim’s account using the newly-changed password, provided they know the victim’s e-mail address.

On the bright side, Facebook automatically sends e-mail notifications whenever the account is changed or when a log-in operation is attempted from a new computer, so they would be notified that someone is logging into their account.

More than that, if the security system detects a significant geographic distance between the location of the last authorized login and the location of the new log-in attempt, it would block the attempt, pending e-mail authorization.

“This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report,” noted Shiong in the post.

If you haven’t done so already, and care for the safety of your account, you might want to consider enabling two-factor authentication from the Security Settings section, as shown below.

When enabled, Facebook sends a security code to your mobile phone each time you log into your Facebook account from a new device.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.


Click here to post a comment
  • Two factor authentication won’t be of any value , though, if you don’t have a mobile phone and have it on all the time. I’m old school, sorry.

    • Hey there,

      Two-factor authentication is only required when logging in from a different computer or into a different browser. So, as long as you don’t log in from various machines, you won’t be required to enter the code sent via SMS.