Cybersecurity expert Samip Aryal, who is currently at the top of Facebook's bounty list, has just announced information about a security vulnerability on the social network that allows hackers to exploit victims' accounts. The incident was discovered and patched on February 2nd, but was not publicly announced until a month later (due to security regulations).
According to Aryal, the vulnerability relates to the Facebook password reset process, which uses an optional feature to send a 6-digit verification code to another device previously logged in or registered by the user. This code verifies the user's identity and is used to complete the password reset process on a new device (one that has never been logged in before).
During the query analysis, he discovered that Facebook sends a fixed verification code (a sequence of numbers that doesn't change), valid for 2 hours, and has no security measures to prevent brute-force attacks, a type of unauthorized access that uses a method of trying all possible password combinations to find the correct sequence of characters.
Facebook account compromised simply by guessing login credentials.
This means that within two hours of receiving the code, a hacker can enter the activation code incorrectly countless times without encountering any preventative measures from Facebook's system. Normally, if the code or password is entered incorrectly too many times, a security system will temporarily suspend login access for the suspicious account.
Two hours might not seem like much time to the average person, but it's entirely achievable for hackers using the right tools.
The attacker only needs to know the target account's login name to send a verification code request, then apply a relentless brute-force attack for 2 hours, until they can easily reset the password, gain control, and "kick out" the real account owner's sessions before they can do anything.
According to Mr. Vu Ngoc Son, Chief Technology Officer of NCS, this type of attack is beyond the user's ability to defend against and is known as a zero-click attack. With this method, hackers can steal a victim's account without any action from them.
"When this vulnerability is exploited, the victim will receive a notification from Facebook. Therefore, if you suddenly receive a notification from Facebook about password recovery, it is very likely that your account is being attacked and taken over," Mr. Son shared. The expert said that with vulnerabilities like the one mentioned, users can only wait for the provider to patch the bug.
Facebook is a popular social network in many countries around the world , including Vietnam, and users upload and store a lot of personal data during their use of it. Therefore, hackers often target and take control of accounts on the platform to carry out fraudulent schemes.
One of the most prominent methods is impersonating victims and contacting relatives on their friend list to request bank transfers in order to scam money. This method, aided by Deepfake technology to create fake video calls, has tricked many people. To further gain trust, scammers even buy and sell bank accounts with names matching those of Facebook account holders to facilitate their fraudulent activities.
Another form of attack involves hijacking accounts and using them to send links or files containing malware, spreading them on social media. This malware attacks and steals personal information (such as bank account numbers, photos, contacts, messages, and various other data stored in the device's memory) after being activated on the target device (the victim's device).
Source link
Comment (0)