Meta recently patched a critical vulnerability that could have been exploited to take control of any Facebook account, according to a cybersecurity researcher.
Details of the flaw were disclosed this week by Nepal-based researcher Samip Aryal, who is currently listed at the top of Facebook’s bug bounty program hall of fame for 2024.
According to Aryal, the vulnerability impacted Facebook’s password reset process, specifically an option where a six-digit unique authorization code is sent to a different device the user is logged into. This code is provided to confirm the user’s identity and is used to complete the password reset process.
An analysis of the request sent by the browser when this password reset option was used revealed that the unique code was active for roughly two hours and there was no brute-force attack protection.
The attacker would only need to know the targeted individual’s username and they could have used a pentesting tool such as Burp Suite to brute-force the six-digit code, which would allow them to reset the targeted account’s password or simply log into it.
When this vulnerability would be exploited, the targeted user received a notification from Facebook. This notification either directly showed the six-digit code or asked the user to tap the notification to see the code — this second variant would turn it into a one-click exploit rather than a zero-click exploit.
The researcher said he reported his findings to Meta on January 30 and the issue was patched by February 2.
Aryal has not disclosed the exact bug bounty amount he received from Meta, but it’s likely significant considering the severity of the flaw.
According to its payout guidelines, Meta is prepared to pay between $5,000 and $130,000 for account takeover exploits, depending on the impacted component and the number of clicks required to execute the exploit.
A zero-click account takeover exploit can earn researchers up to $130,000. Aryal said Meta did classify it as a zero-click exploit, but the social media giant’s response to the researcher suggests that he did not receive the maximum bounty.
Related: Ongoing Azure Cloud Account Takeover Campaign Targeting Senior Personnel
Related: Researchers Flag Account Takeover Flaw in Microsoft Azure AD OAuth Apps
Related: Tesla Retail Tool Vulnerability Led to Account Takeover