Vulnerability in Facebook login allowed attackers to take-over any account

Posted 18 February 2019 16:11 CET by Jan Willem Aldershoff

A security issue in Facebook’s login procedure made it possible for attackers to take-over random accounts. The vulnerability allowed attackers to add their own mail address and phone number to the account of another user.

By requesting a password reset, they could change the password and login to the account. To perform the attack, the attacker first needed to trick the victim into clicking a specifically prepared link.

Security researcher Samm0uda discovered the issue and reported it to Facebook on January 26th this year. The social network fixed the issue within 5 days and awarded the security researcher a $25,000 bounty.

Related content

Comments on this story

We don't show comment's on news stories, instead you are very welcome to join the discussion on this topic on our forum.

Discuss this story here