Hack Facebook with Password Reset Bug – Here’s How to Secure it

Facebook, one of the most popular social networking sites has become a part of an individual’s life. It is like a haven for people where they can like, share and comment on any of the posts placed by their friends on the social media platform. People are highly addicted to this renowned communal location. On this popular social networking platform, one can share their bizarre moments by posting their funny images or videos just by uploading them on Facebook. It is the most trusted and most used social media platform. But now these accounts are hacked!
hack fb

How To Hack A Facebook Account?

This is most frequently asked but an unanswered question on the Internet. Hacking a Facebook account is the most tougher task. Even the kings of hacking failed in doing so. Facebook accounts are at the higher security level.
But a white hacker Gurkirat Singh can easily hack your facebook account irrespective of the strength of your password. He discovered a bug in the Facebook’s reset mechanism with which he can get the access to view the message conversations, payment details etc. of other accounts. He can use that account like that of a real account holder.
Gurkirat Singh says that Facebook uses an algorithm that generates automatically 6 digit reset passcode. From this, it can be concluded that there were 10^6 combinations(1,000,000). In a blog post, he explained,

“That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned.” 

How Gurukirat Hacked Multiple Facebook Accounts?

  • Gurkirat collected valid Facebook IDs and then visited www.facebook.com/[ID] with a valid ID number in place of [ID]. This URL automatically redirects  Facebook ID to the Username. So, he was able to collect 2 Million Valid Facebook Usernames.

He says,

“I first reported this bug on May 3, 2016, but Facebook didn’t believe me such large-scale execution could have been possible. They wanted proof,” Gurkirat told The Hacker News. “So I spent close to a month learning and building the infrastructure to target a batch of 2 million Facebook users. I then re-submitted this bug, and they agreed that it indeed was an issue.”

  • Gurkirat then initiated the password reset requests for those 2million users (each assigned a 6digit password reset code). He did this using a script and proxies.
  • Next, he randomly picked a 6-digit number, i.e. 338625, and started the password reset process by using a script called “brute forcing script” against all those 2 million usernames.
  • He Practically executed this thing and found a right password reset code and username combination. In this way, he was able to hack all those accounts.

fb
He reported this bug to the Facebook company. He was rewarded 500$. And now, Facebook has taken further security step. In this context, he says,

“I would have never imagined that a company as big as Facebook would be susceptible to sheer computing power. The efficacy of the bug I found relied on just that,” he added, “I was informed by Facebook that the patch has been applied and that they have started throttling aggressively per IP address. Given a much larger pool of IP addresses that can simulate a global network flow combined with little social engineering, I still doubt if their patch is strong enough to mitigate this vulnerability.”

Here’s How To Protect Your Facebook Accounts

#1. Turn On Login Approvals
Login approvals is a Two Factor Authentication system that requires you to enter a code we send to your mobile phone via text message whenever you log into Facebook from a new or unrecognized computer. Once you have entered this security code, you’ll have the option to save the device to your account so that you don’t see this challenge on future logins.
login
#2. Turn On Login Notification Alerts.
Login alerts are an extra security feature. When you turn on login alerts, we’ll send you a notification if someone tries logging into your account from a new place.
To turn on login alerts:
1. Go to your Security Settings
2. Click the Login Alerts section
3. Choose the type of alert (ex: email alerts) you’d like to receive and click Save Changes
fb_login-notifications
#3. Set A Strong Password
Do you create a complex password whenever you sign-up for a new website account? Or do you just use a regular and easily guessable password for all your accounts? If you create same password for all your website accounts so that you could memorize it easily, then it is big benefit for the hackers to take over your account by guessing it or by using some brute-force attack. In order to safeguard your password, you need to set a strong password which is too tough to guess.
Best-Password-managers-2015
So don’t worry about the hack. Follow the above tips and secure your Facebook account. Comment below if you have a problem in accessing the above tips.