The problem was with Facebook’s password reset, which is usually how people regain access to their Facebook account after they’ve been hacked.
Normally, the user is able to reset the password from a phone or email account previously provided to Facebook, but the discovered vulnerability allowed hackers to circumvent that process.
According to Sow, however, if an attacker navigated to a specific Facebook page designed for regaining control of hacked accounts, they would be able to perform a password reset without knowing what the original password was.
Sow reported the flaw to Facebook via its White Hats program, and it has now been patched to require the user to enter their original password.
For those techies out there, here is what Sow says was happening prior to the Facebook fix:
.… an attacker can change/reset a user’s password without knowing the user’s current password by accessing this URL directly:https://www.facebook.com/hacked.
After that, the page will be redirected tohttps://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked
Now, the attacker can click “Continue” to change/reset the user’s password.
According to Sow, Facebook has fixed this issue. Now when you go to Facebook.com/hacked, the username is nowhere in the URL , preventing your page from being totally co-opted by hackers.
Have you ever had your Facebook page hacked? How much of a headache was it for you to regain your permissions?