Flaw in Facebook password resets could allow random account takeovers; severity of bug disputed
A researcher was awarded a $500 bug bounty after finding a bug in Facebook's password reset process that could allow bad actors to take over random user accounts, but not specific, targeted accounts.
An independent researcher found a way to theoretically take over random Facebook accounts by forcing millions of user password resets and then brute-forcing each reset request to check for a specific six-digit authorization code.
The researcher, Gurkirat Singh – by day, a software graphics engineer at Intel – personally characterized the vulnerability as “critical” because a successful exploit can lead to the total compromise of an affected account. Facebook, however, has classified the bug as low-priority because such an attack would be random, not targeted, and because there are multiple security checks in place that would likely detect and stop it, the Menlo Park, Calif.-based company explained in a reply to the researcher obtained by SCMagazine.com.
As Singh explains in a Hacker Noon post, there are exactly one million possible six-digit authorization codes that Facebook can send to a user when he or she requests a password reset. These passcodes do not expire right away; ergo, if more than one million users request password resets within a short period of time, it becomes increasingly likely to exhaust all of the possible active passcodes that Facebook stores in its servers at any given time. This then increases the odds that a hacker could select any random passcode and match it to at least one of these reset accounts.
Of course, the odds of over a million people all requesting passwords in a short duration of time is highly improbable – unless a hacker does something to change those odds. And that's where Singh's research comes in.
“I was at a tech conference early this year and as I was talking to one of the Facebook software engineers there. He mention[ed] to me how Facebook's security is really tight and they are proud of that. So I told him that I [would] try to prove him wrong,” said Singh in an email interview with SCMagazine.com. “Knowing that finding bugs in companies like Facebook and Google has become a holy grail for security researchers, I took it as a challenge to find a bug in Facebook's website.”
In order to accrue enough fake accounts to generate copious amounts of password resets, Singh fabricated 100 trillion possible Facebook user ID numbers (which are 15 characters in length) and then used the Facebook Graphic API to validate which of these ID numbers belonged to real accounts. Singh looked up and extracted the user names associated with these accounts from their respective URLs and then used these profiles to simulate sending out 2 million password change requests.
Normally, sending out so much traffic at once might result in Facebook blocking the attacker's IP address. To counter this scenario, Singh used a rotating IP service that simulated a normal flow of traffic. He then used a headless browser to write a Java-based script that would submit passcode requests from the collected user accounts, and hosted these scripts on a Google Computer Engine virtual machine, executing at a rate of 923 HTTP requests per second.
Upon completing the 2 million reset requests, Singh brute-forced all of the user password requests with the passcode 338625 and – voila – found one that was assigned that very code. By entering that code onto the password reset page, an attacker could then have taken over that individual's account. Singh chose the code 338625, theorizing that codes 300,000 through 699,999 had a statistically higher probability of occurring due to a mathematical concept known as the pigeonhole principle.
For his efforts, Facebook presented Singh with a $500 bug bounty – the minimum award for a discovered vulnerability.
Facebook explained its justification for the smaller reward in its reply to the researcher, noting that the discovered exploit requires a large-scale attack, and only “allows you to get a recovery code for a random account out of a very large set of possible targets... Additionally, even if you get the recovery code for one account, you'd then encounter other defenses against suspicious logins – that is, the account would likely be put in a checkpoint you wouldn't be able to easily clear in this untargeted attack scenario.” For instance, users would have been sent notification emails alerting them that they have requested a password change.
Singh, however, argued that Facebook's current checkpoints “can easily be overcome with social engineering,” and offered SCMagazine.com several suggestions for how Facebook could bolster its password reset process: “Facebook started overseeing requests per IP more closely after I filed the bug, but they cannot stop… an attack like this given enough resources,” said Singh. “Hence, they have to make other security measures stronger that will prevent complete account takeover even if you have the six-digit code. Measures that will actually prove to Facebook that the person requesting the code is really them, like asking them to speak something and using AI to see if their voice matches.”
In contrast to Singh's disclosure, researcher Anand Prakash earned a $15,000 bug bounty last March after identifying what Facebook considered to be a far more severe vulnerability. In this case, the domains beta.facebook.com and mbasic.beta.facebook.com did not impose rate limits on individual users' passcode entry attempts, allowing attackers to potentially take over any accounts they wanted though a simple brute-force attack.
In its correspondence to the researcher, Facebook did acknowledge that Singh's threat “posed enough of a risk that we added some additional rate limiting to increase the cost [and] effort of such an attack, but we also already had plans in the works to make broader changes that should help mitigate this even further.”
Oded Vanunu, head of products vulnerability research at Check Point Software Technologies, told SCMagazine.com in an email that he believes the vulnerability should have been classified as at least a medium or high-level threat, noting that the researcher's proof of concept “exposes a few logic bugs in Facebook's infrastructure, including weak key algorithm randomization and lack of brute-force detection.”
However, Alex Rice, CTO and co-founder of bug bounty platform provider HackerOne, told SCMagazine.com in his own emailed statement that Facebook's assessment was fair. “While an interesting bug, the impact against real users is decidedly small as such activity is easily detected and mitigated, were live exploitation to occur at the scale needed to have an observable impact,” said Rice. “Ultimately, the security team here is in the best position to provide a fair and accurate assessment on the impact of this vulnerability. The team has a long track record in rewarding security research appropriately and this bounty is in line with what HackerOne would recommend for a lower severity finding.”
“By no means should that detract from the validity of this finding,” Rice continued. “It is great work, simply not of critical severity.”