A computer programmer has revealed how he was able to hack into any Facebook account using relatively simple software.
Anand Prakash, a product security engineer at Indian ecommerce company Flipkart, said he was able to access accounts without a password by using a common “brute force” cyber-attack on the Facebook website.
The flaw left Facebook’s 1.6 billion users at risk, although it only existed in the wild for around two days before it was discovered, and was quickly rectified.
When a Facebook user loses their password, they are asked to enter their email address, username or phone number, and are then sent a six-digit code which they can use to log in on the Facebook website.[You must be registered and logged in to see this image.]
Facebook's security page when users forget their password
As with a password, Facebook tries to stop hackers guessing this code by repeatedly entering different combinations, locking the process after a certain number of guesses.
But Prakash found that Facebook’s beta website, which is used by software developers but lets anyone log in, did not have the same restrictions.
Using a program called Burp Suite, he was able to rapidly try all possible combinations until he found the correct code, allowing him to log in, enter a new password and log out other devices using the Facebook account. He demonstrated the flaw to show how he was able to log into his own Facebook profile, and access private information including messages and credit card numbers.
Prakash told The Telegraph the vulnerability was “very easy to exploit” and that “this hack was available to everyone”. He said that all that a potential hacker needed was a Facebook member’s username, which can be found publicly by searching for their Facebook profile (Mark Zuckerberg’s, for example, is “zuck”).
Luckily, Prakash alerted Facebook to the flaw, which rewarded him with a $15,000 (£10,500) reward, and fixed it in February.
The vulnerability was introduced by a Facebook update around two days earlier, and was fixed a day after Prakash reported it, but allowed anyone to potentially exploit it.
Professor Alan Woodward, a cybersecurity expert at the University of Surrey, said the simplicity of the hack was worrying.
“It was surprisingly simple, you’d have thought someone would have picked up on it now,” he said. “You would think sites would allow you to have five attempts and then lock you out, it’s pretty standard practice.”
A Facebook spokesman said: "One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production. We're happy to recognize and reward Anand for his excellent report."[You must be registered and logged in to see this link.]