Who has not tried or sought ways to hack a Facebook account? A hacker from California (USA) also tried his own exploration and found a form to crack Facebook passwords, which allows him to reset any user password.
Yes, a critical failure in Facebook allows a hacker to hack multiple Facebook accounts.
Beware! A Hacker Finds A Way To Hack Multiple Facebook Accounts
A very critical failure in Facebook allows a hacker to log into multiple Facebook accounts. Who has not tried or sought ways to hack a Facebook account?
A hacker from California (USA) also tried his own exploration and found a form to crack Facebook passwords, which allows him to reset any user password.
As we all know, Facebook basically uses a unique algorithm that generates a random 6-digit passcode that is 10⁶ = 1,000,000 possible combinations.
However, the hacker, Gurkirat Singh, explained in a blog post that “It could mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 people to request a code will get a passcode that someone from the batch has already been assigned”.
What the hacker Gurkirat Singh tried to explain?
Basically, whenever more than 1,000,000 users request a password reset at that time, the social media giant Facebook needs to store the duplicate codes for multiple users. Yes, this means that more than two people have the same reset code, and to use this for his purpose, the hacker Gurkirat Singh formed a new way to send the code in 2 million password change requests to Facebook.
— Gurkirat (@GurkiratSpeca) August 25, 2016
Usually, the Facebook IDs are 15-digit long, while the hacker Gurkirat Singh made queries to Facebook Graph API to see which IDs were valid simply by using 1,00,000,000,000,000. But, it is only possible if you have authorized Facebook apps. After this, you can enter the ID in the URL like “www.facebook.com/[ID]” once the match is found. It will automatically change the ID into a username.
The hacker Gurkirat Singh used a series of commands within a file capable of being executed without being compiled to simulate user behavior when a passcode is required. It simply requests a passcode to every user in the JSON file created earlier. The Gurkirat Singh used a proxy server that listened to HTTP Requests and then assigned a random IP address to each request for the IP problem.
The hacker told Hacker News that “I would have never imagined that a company as big as Facebook would be susceptible to sheer computing power. The efficacy of the bug I found relied on just that”.
They also added that “I was informed by Facebook that the patch has been applied and that they have started throttling aggressively per IP address. Given a much larger pool of IP addresses that can simulate a global network flow combined with little social engineering, I still doubt if their patch is strong enough to mitigate this vulnerability”.