Ow Facebook: Taking Over Random Accounts

12:25 PM

Okay, it seems I am obsessed with Facebook, I like it. But not obsessed, just addicted? Anyway, this is a series of declined obvious Facebook Bugs I have reported in the program and are still available to be exploited.

This one is a bug that is still out there for being “unpractical” for the Facebook security team. Well, frankly, it’s just a theory I have in my mind. Never tried it because I don’t have a lot of zombies. Zombies? What am I talking about right? Well you will get it soon, stick with me.

When you reset your password, you will get an option to send it to phone by SMS, in the SMS there is a 6 digit token to confirm you phone and also a link to reset it, when redirect to the link, it just gives you a new password and a confirm new password input boxes. So the idea here is to bruteforce this tokens, here is the statics… over a billion users, at least 3-4 million resetting password in a day. Meaning there are around 4 million possible tokens to be found while brute forcing and use them to pawn random accounts. The link looks likehttps://fb.com/l/240jMqhGzXiy8 the last part is the part that holds the token. 13 character token that resets someone’s password is 240jMqhGzXiy8. But the bruteforce is next to impossible because of being 13 characters long, with a mix of lower case letters (26 possibilities), upper case letters (26 possibilities), and numbers (10 possibilities, including 0). So that's 62 raised to the 13th power. That equals 200028539268669788905472 possible values -- 200 sextillion!

But that is a true sextillion if we are looking for a particular value, with a growing number of users resetting their passwords there are around 4 million possibilities. If we do the math that’s a very low percentage of capturing an actual account. But imagine if you have botnets, the zombies, imagine a person with a great internet speed and around 1 billion zombies that take almost an hour to capture all of the 4 mil accounts and take them over.

Now a cleaver attacker does this, he creates an automated script to incriminate the Facebook user ids and request a password reset to over a billion users Facebook holds, that actually doesn’t do anything other than send every user a token. it will help make the bruteforce less time consuming considering we have a possibility of taking over a billion tokens and a billion accounts. Interesting eh?

So if you have the zombies or a system performance that effective, you can still own a lot of accounts. One 
thing I then realized is to study the nature of the token to make our bruteforce algorithm a little effective and less time consuming, they usually start with 3 numbers then characters to be randomized.

This should be classified as a threat, even though the probability of exploitation is very low. Confirming the safety of the users is only by limiting the rate by try and not just because of probability, which still puts the users in a less probable but yet dangerous situation.

You Might Also Like


  1. Good attempt. I am unsure if these botnets would be allowed to create request more than once because facebook would block request looking at the UA's.

    1. Shirtam. I understand your point, I think it "should have" been very true. unfortunately for Facebook, they didn't start doing that just yet. if that was implemented, i woudnt have posted this in the first place, that should be the correct fix by blocking the number of tries from the same UA's after a number of probably ~1000 tires. ;-)

  2. I think it is a possiblitity, I guess. they atleast should consider fixing this after a while, just because they think they will notice the upcoming requests, does not mean they shouldnt find it. ncie find!