Here I’m going to explain about the Facebook bug which leads to Full Account Takeover.
Recently a similar bug was reported by Anand Prakash.
This is a simple vulnerability which compromise anyone’s facebook account easily without any user interaction, it allowed me to get into any facebook account by changing their password and I was able to view their messages, stored credit/debit cards, personal photos, etc. facebook took more than 3 week to make a fix on this bug. And at last facebook decided to provide reward for
When a user requesting password forgot option, he has an option to reset the password with phone/email address on http://www.facebook.com/login/identify/ctx=recover&lwv=110, facebook will send 6 digit pin in order to reset the password. www.facebook.com having rate limit I can’t brute the code there it will accept only 10-12 codes.
Anand recently found beta.facebook.com and mbasic.beta.facebook.com are doesn’t contain rate limiting and facebook released fix, also got bounty too.
I was searching for some active subdomains of facebook and found
https://lookaside.facebook.com is vulnerable and doesn’t having rate limiting on the endpoint of forgot password. I tried to take over my own account and was successful in setting a new password.
When I reported the bug to facebook they rejected it by saying that they can’t reproduce the issue. I provided several poc’s to prove that it is a valid bug.
After weeks of reporting they fixed the bug and provided a nice bounty by considering the impact of this vulnerability.
Facebook Reply with bounty reward :