Facebook password reset bug closed
Contributed by: Email on 01/08/2013 03:36 PM [ Comments ]
In the process of creating a system which would allow Facebook users with compromised accounts to regain control of their accounts, the company managed to open a hole which could have allowed attackers to reset users' passwords without knowing their old password and, ironically, allowing them to compromise users' accounts. The flaw was reported to Facebook and closed through its White Hat disclosure page.
The problem, discovered by Sow Ching Shiong and documented on his blog, required that the user be logged in and visit the https://www.facebook.com/hacked URL. This URL is apparently designed for users who still have an active session but believe their account has been compromised; accessing it without logging in sends the user to forms which ask them to establish their identity. If they are logged in, the user was redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked and on clicking "Continue" on that page asked to enter a new password. But, contrary to best practice, the form did not ask for their old password.
Ching Shiong told The H there were three scenarios where this flaw could be used maliciously. A local attack could happen where a user has forgotten to lock their desktop or laptop; the attacker merely needs to access the "hacked" page to reset the password. An internal attack, where the user's session ID could be sniffed because they were not using HTTPS, could allow the malicious party to hijack the session. Finally an external attack could have leveraged an XSS or clickjacking flaw to steal the session ID. However, without somehow hijacking a user's session, it was not possible to exploit the flaw. The password page is reported now to ask for the old password as well as the new password to ensure the account owner is logged in.
The problem, discovered by Sow Ching Shiong and documented on his blog, required that the user be logged in and visit the https://www.facebook.com/hacked URL. This URL is apparently designed for users who still have an active session but believe their account has been compromised; accessing it without logging in sends the user to forms which ask them to establish their identity. If they are logged in, the user was redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked and on clicking "Continue" on that page asked to enter a new password. But, contrary to best practice, the form did not ask for their old password.
Ching Shiong told The H there were three scenarios where this flaw could be used maliciously. A local attack could happen where a user has forgotten to lock their desktop or laptop; the attacker merely needs to access the "hacked" page to reset the password. An internal attack, where the user's session ID could be sniffed because they were not using HTTPS, could allow the malicious party to hijack the session. Finally an external attack could have leveraged an XSS or clickjacking flaw to steal the session ID. However, without somehow hijacking a user's session, it was not possible to exploit the flaw. The password page is reported now to ask for the old password as well as the new password to ensure the account owner is logged in.
Comments