Hacker reveals How He Could have Hacked Multiple Facebook Accounts

How to Hack a Facebook Account?

hat’s possibly the most frequently asked question on the Internet today. Though the solution is hard to find, a white hat hacker has just proven how easy it is to hack multiple Facebook accounts with some basic computer skills.

Your Facebook account can be hacked, no matter how strong your password is or how much extra security measures you have taken. No joke!

Gurkirat Singh from California recently discovered a loophole in Facebook’s password reset mechanism that could have given hackers complete access to the victim’s Facebook account, allowing them to view message conversations and payment card details, post anything and do whatever the real account holder can.

The attack vector is simple, though the execution is quite difficult.The issue, Gurkirat (@GurkiratSpeca) says, actually resides in the way Facebook allows you to reset your password. The social network uses an algorithm that generates a random 6-digit passcode ‒ that’s 10⁶ = 1,000,000 possible combinations ‒ which does not change until gets ‘used’ (if you request it from mbasic.facebook.com).

“That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned,” Gurkirat explains in a blog post.

How to Hack Multiple Facebook Accounts?

Gurkirat first collected valid Facebook IDs by making queries to Facebook Graph API starting with 100,000,000,000,000, since Facebook IDs are generally 15-digit long and then visited www.facebook.com/[ID] with a valid ID number in place of [ID].

Once entered, the URL automatically redirected and changed the Facebook ID to the user’s username. In this way, first, he was able to make a list of 2 Million valid Facebook usernames.

“I first reported this bug on May 3, 2016, but Facebook didn’t believe me such large-scale execution could have been possible. They wanted proof,” Gurkirat told The Hacker News. “So I spent close to a month learning and building the infrastructure to target a batch of 2 million Facebook users. I then re-submitted this bug, and they agreed that it indeed was an issue.”

Then using a script, hundreds of proxies and random user-agents, Gurkirat automatically initiated the password reset requests for those 2 million users, each assigned a 6-digit password reset code, thus consuming the complete 6-digit range.

Gurkirat then randomly picked a 6-digit number, i.e. 338625, and started the password reset process using a brute forcing script against all those usernames in his list, hoping that this number had been assigned by Facebook to someone in his list of 2 million usernames.

Gurkirat practically executed this thing and managed to find a right password reset code and username combination that allowed him to reset the password and hijack a random user’s Facebook account.

Although Facebook has patched the bug after been reported by Gurkirat and rewarded him $500 (that’s little less), Gurkirat has doubt that the patch is not “strong enough to mitigate this vulnerability.”

“I would have never imagined that a company as big as Facebook would be susceptible to sheer computing power. The efficacy of the bug I found relied on just that,” Gurkirat told the Hacker News.

“I was informed by Facebook that the patch has been applied and that they have started throttling aggressively per IP address. Given a much larger pool of IP addresses that can simulate a global network flow combined with little social engineering, I still doubt if their patch is strong enough to mitigate this vulnerability.”

However, Facebook provides you an extra layer of security to protect your account against such attacks.

Here’s How you can Protect Your Facebook account:

Enable Login Approvals: Users are recommended to enable “Login Approvals” as an extra layer of security in order to prevent their Facebook accounts against these kinds of attacks.

With Login Approvals turned ON, Facebook will send you a 6-digit security code via a text message to your registered cell phone if someone tries to log into your Facebook account from a new computer or device or a different web browser.

So, even if your Facebook username and password are entered by an attacker, that 6-digit security code, which has been delivered to your phone, will still be required to log into your account, preventing hackers from accessing your account.

Enable Login Notification Alerts: Facebook also provides a security feature, “Login Alerts,” that send you an email or SMS whenever it suspects an unauthorized user is accessing your account.

If your Facebook account is accessed from a remote device, Facebook sends you an email or SMS alert. If that is an unauthorized access, you can quickly follow the steps listed in the email to disable access for that device.