Vulnerable requestīrute forcing the “n” successfully allowed me to set new password for any Facebook user.
FB OTP HACK VERIFICATION
A proof of concept video of the hackĪs you can see in the video, I was able to set a new password for the user by brute forcing the code which was sent to their email address and phone number. Receive Online SMS: The website offers free disposable numbers to bypass OTP verification from different apps like WhatsApp, LINE, Facebook, Uber, etc. I could then use this same password to log into my own hacked account. I tried to take over my own account (as per Facebook’s policy, you should not do any harm any other users’ accounts) and was successful in setting a new password for my account. Interestingly, rate limiting was missing from forgot password endpoint. How would a hacker handle it Write each number down on the card itself, but encrypted, naturally, with the only unbreakable encryption scheme there is out there: the one-time pad (OTP). Then I looked out for the same issue on and. I tried to brute force the 6 digit code on and was blocked after 10–12 invalid attempts. Introducing URL Making Technology to the world for the very FIRST TIME. įacebook will then send a 6 digit code to this phone number or email address which the user has to enter in order to set a new password. Whenever a user Forgets their password on Facebook, they have an option to reset the password by entering their phone number and email address on.
I was able to view messages, their credit/debit cards stored under their payment section, personal photos, and other private information.įacebook acknowledged the issue promptly, fixed it, and rewarded me with a US $15,000 bounty based on the severity and impact of this vulnerability.
FB OTP HACK FULL
This gave me full access to other users account by setting a new password. This post is about a simple vulnerability I discovered on Facebook which I could have used to hack into other users’ Facebook accounts easily and without any user interaction. I am publishing this with the permission of Facebook under the responsible disclosure policy. By AppSecure I figured out a way to hack any of Facebook’s 2 billion accounts, and they paid me a $15,000 bounty for it
0 kommentar(er)
