Facebook security flaw to hijack Facebook account, which provides for 11 million !!

Facebook security flaw, which was discovered at the same time, reset the password for any ID can be controlled
account could be taken to control the entire way. The theoretical analysis of a social engineering attack, it would seem likely, but it is understood that if a security flaw in the technical analysis of the security threats facing the fact that Facebook's.

We have forgotten the password, e-mail / phone for a six-digit code is sent, the account is basically a collection of facebook.com this code is run on a variety of bruta force to change the password for the account, after a certain time of the IP addresses Facebook blocked. . Such tokens before the password has been hijacked and has been published in the blog. If you want to read the details can come (to hijack Facebook password reset trick) Anyway.

When a token is actually no indapayente Multiple Access is run from there to prevent spamim for Rate Limitation automatically, IP address was blocked.

Although this error does not work on the original Facebook, and beta.mbasic.facebook.com beta.facebook.com works in amazing way, which means there is no limit on beta.facebook.com the rate, the target of a Facebook account, a Accounts of the e-mail / mobile phone to send the token to use force bruta. And applying it to any account that is used repeatedly in the last token that target the Brute Forcing him to change the password of any account, be possible to take control !!

Utilize the simple reason that no account can be hacked. Limitations to bypass the token rate to be used multiple times, is almost impossible to do this manually, so it is used here to Burpsuite Portswigger's famous. Burpsuite of the repeater is used. When the token is given for the first time, the Burp - Proxy is the intercept, then was sent to the Sequencer Module, from the repeater rate limit on the bypass token is sent continuously and account is taken of the controls.

Burp Suite who are not used to them, it may seem difficult, but in fact is very simple. The concept utilized here only as a medium has been used to Burp, this does not mean that the error was detected by Burp Scanner, or will not work without it.

In March of last year after it was discovered and reported it to facebook or by providing US $ 15,000 Bangladeshi Taka 11 lakh 80 thousand. However, the logic is very simple, but to facilitate understanding of the Proof Of Concept of the video is to be connected.

Who knows, maybe if security research with the logic of the ordinary can become extraordinary thing a security researcher. Saibaratrendaja ithikala working on hacking and hacking ithikala We are committed to widening

Share this post