Who has not tried or sought ways to hack a Facebook account? A hacker from California (USA) also tried his own exploration and found a form to crack Facebook password which simply allows him to reset any user password. Yes, a critical failure in Facebook allows a hacker to hack multiple Facebook accounts.
A very critical failure in Facebook allows a hacker to log into multiple Facebook accounts. Who has not tried or sought ways to hack a Facebook account? A hacker from California (USA) also tried his own exploration and found a form to crack Facebook password which simply allows him to reset any user password.
As we all know that the social media giant Facebook basically uses a unique algorithm that simply generates a random 6-digit passcode that is 10⁶ = 1,000,000 possible combinations.
However the hacker, Gurkirat Singh explained in a blog post that “It could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 people to request code will get a passcode that someone from the batch has already been assigned”.
What the hacker Gurkirat Singh tried to explain?
Basically, whenever more than 1,000,000 users request the password reset at that time the social media giant Facebook simply needs to store the duplicate codes for the multiple users. Yes, this means that more than two people have the same reset code and to use this for his purpose, the hacker Gurkirat Singh simply formed a new way to send the code in 2 million password change requests to Facebook.
Usually, the Facebook IDs are 15-digit long, while the hacker Gurkirat Singh made queries to Facebook Graph API to see which IDs were valid simply by using 1,00,000,000,000,000. But, it is only possible if you have authorized Facebook apps. After this, you can simply enter the ID in the URL like “www.facebook.com/[ID]” once the match found. It will automatically change the ID into a username.
The hacker Gurkirat Singh used a series of commands within a file that is capable of being executed without being compiled simply to simulate user behavior when a passcode is required. It simply requests a passcode to every user in the JSON file created earlier. For the IP problem, the Gurkirat Singh simply used a proxy server that listened to HTTP Requests and then assigned a random IP address to each request.
The hacker told the Hacker News that “I would have never imagined that a company as big as Facebook would be susceptible to sheer computing power. The efficacy of the bug I found relied on just that”.
Also added that “I was informed by Facebook that the patch has been applied and that they have started throttling aggressively per IP address. Given a much larger pool of IP addresses that can simulate a global network flow combined with little social engineering, I still doubt if their patch is strong enough to mitigate this vulnerability”.
