Facebook Vulnerability… They ignored it until now.
Note: I was not going to post on this originally since Facebook refused to fix the issue. I like sharing things I find, but not if it is going to screw over a bunch of people. However, others have now found the hole and are publicly demonstrating it.
Back on May 7th my mother was trying to help my grandmother get back into her Facebook account. Since my grandmothers phone was right there, she decided to use her phone to reset the password. My mother went through the process and was logged into the account… one problem… it wasn’t my grandmothers account.
I asked to look at the phone and started working through the process and found a major flaw in the authentication process. It is assumed that if the person is on a cell phone, the request is legitimate. I took screen shots and sent them to Facebook via their “White Hat” reporting site.
Facebook basically followed up by saying they don’t have control over phone number re-use… which isn’t the issue. The issue is that you can use a fake number (someone else’s intercepted number) to reset their password and take over their account.
The person who responded either doesn’t understand basic security or did not bother reading what I had sent as they gave me information on resetting your password through friends and security questions on the website…
For a company that is claiming to be open to reports and fixing issues, it bothers me that they took so little interest in fixing this. For god’s sake, they store credit card information now for payments via their payment gateway… and they couldn’t even be bothered to ask someone some sort of security question before handing the account over on a platter.
I hope now they take it seriously, fix their security issues, and start fully trying to understand what people are reporting instead of just being in the zone of “no, go away.”