Gurkirat Singh from California has recently discovered a loophole in the password reset for Facebook. Read on to learn how it works.
The theory of the attack is pretty simple, however the execution of the attack is more difficult. The idea is is that Facebook uses an algorithm to generate a 6-digit code. If you’re wondering how many different combinations that is, it’s 1,000,000. These codes do not change until it gets used. The algorithm that Facebook uses to generate these codes has not been cracked yet, it seems to be completely random. The idea is that if 1 million people request a password change within a very short amount of time and no one uses the code then the 1,000,001 person to request a code will get a passcode that somebody out of that 1 million will have already been assigned.
Singh tested this idea by sending 2 millions emails to get duplicated passcodes. This is also called the Pigeonhole Principle.
In mathematics, the pigeonhole principle states that if n items are put into m containers, with n > m, then at least one container must contain more than one item. This theorem is exemplified in real life by truisms like “there must be at least two left gloves or two right gloves in a group of three gloves”.
He then went on to decide on a random 6 digit number that is likely to occur. Integers less than 100,000 have a lower probability of occuring than integers between 300,000 and 699,999 or 800,000 and 999,999 which have a higher probability of occurring. He does go on to mention that this isn’t the rule of thumb, but from his testing it will help him later. So he picks a number and now he needs to brute force it against 2 million accounts.
Now how do you get 2 million accounts to send a request? You use the Facebook ID’s. Facebook ID’s tend to be 15 digits long. For example facebook.com/100,000,000,000,000. If the ID number is correct then the ID will be changed to the username of that account. Now Singh has made this publicly available here: Download. There are other issues too, for example getting IP Blocked. If you send multiple password resets you will eventually be IP Blocked, so Singh made it so that he had a pool of 1000 IP Address that each one would send an password reset request. Singh also mentions that you need to simulate user behavior when requesting a passcode, so he used PhantomJS and created a multithreaded script in Java that requests a passcode to every user in the usernames list. Finally it was time to execute the attack, Singh used a free trial of the Google Compute Engine where he setup 8 Virtual Machines each with 12 cores and 20GB of RAM in different regions and let the scripts run. Below is a screenshot of the attack in progress.
The next step to all of this was to brute force each of these accounts that had a pending Password reset on them with a random passcode that had a high probability of happening, so 338625. As you can see from a picture he took, he did find one that matched.
This meant that if he browsed to that link, he was prompted to enter a new password for the Facebook account which would allow him to take over the account.
Singh submitted the Bug Bounty to Facebook and recieved a reward of $500. Apparently Facebook said that this kind of attack is low priority (Interesting).
And that’s how Gurkirat Singh could have gotten full access to lots of Facebook accounts. Original article here: Click Me!