Serious Flaw in Facebook Allows Arbitrary Account Hijacking

Blind trust does not cut it when you`re a social network with a billion active users. That`s what Facebook found out after white-hacker Sow Ching Shiong reported a serious vulnerability that allows virtually anyone to seize control of a user account without knowing the original login password or having access to the victim’s e-mail.

Long story short, Facebook allows a hacked account to apply for a password reset by visiting the facebook.com/hacked section. Directly accessing the link skips the password verification challenge and takes the attacker directly to the new password selection procedure. When the step is completed, the attacker can log into the victim`s account using the newly-changed password, provided they know the victim`s e-mail address.

On the bright side, Facebook automatically sends e-mail notifications whenever the account is changed or when a log-in operation is attempted from a new computer, so they would be notified that someone is logging into their account.

More than that, if the security system detects a significant geographic distance between the location of the last authorized login and the location of the new log-in attempt, it would block the attempt, pending e-mail authorization.

“This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report,” noted Shiong in the post.

If you haven`t done so already, and care for the safety of your account, you might want to consider enabling two-factor authentication from the Security Settings section, as shown below.