Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Facebook Bug Security Social Networks

Facebook Fixes Bug That Allowed Users To Set Other Users' Passwords 49

Posted by timothy from the cross-pollination dept.
An anonymous reader writes: Facebook has paid $15,000 (€13,600) to an independent security researcher who discovered a simple way of resetting passwords for other people's Facebook accounts, setting a new passphrase and effectively taking over profiles.

The problem was in the fact that Facebook also runs a Beta platform on beta.facebook.com. This platform's "reset password" feature did not include brute-force protection and allowed anyone to guess the six-digit verification code sent to someone's phone when resetting the password. This issue also raises another question: How many unsafe features are on Facebook's beta platform that have not been patched simultaneously with the main platform?
This discussion has been archived. No new comments can be posted.

Facebook Fixes Bug That Allowed Users To Set Other Users' Passwords More

Facebook Fixes Bug That Allowed Users To Set Other Users' Passwords

Comments Filter:
  • It's not like Facebook was really private anyway...People can mark/identify others without the account owner's consent. So this is no surprise to me. Security/privacy is not exactly a priority at facebook. (the opposite actually..)

    • Re: (Score:2, Informative)

      by Anonymous Coward

      People can mark/identify others without the account owner's consent.

      Any time I'm tagged anywhere, I get notified and can force remove it if I choose.
      But it's not like you or anyone else can prevent someone from simply adding text to a picture with their name on it. But let's blame facebook for that too, because reasons.

      Security/privacy is not exactly a priority at facebook

      In relation to this article, this bug only affects people who give FB their phone number and set it to their 'account recovery' preference. I've never done either, mine works via my email, and the "code" they send is pretty damn long and includes letters/numb

      • Re: (Score:2)

        by dbIII ( 701233 )

        In relation to this article, this bug only affects people who give FB their phone number

        It actually creeps me out a bit that Facebook even ask.

    • Re: (Score:2)

      by darkain ( 749283 )

      "Security/privacy is not exactly a priority at facebook." [Citation Needed]

      https://www.yubico.com/2013/10... [yubico.com]

  • Better question: why running prod data in beta? (Score:5, Interesting)

    by xxxJonBoyxxx ( 565205 ) on Monday March 07, 2016 @02:26PM (#51654295)
    I could see having a per-account switch to "allow me to use my account in beta" (default = OFF) for developers who want to play with this stuff, but why would you want to expose your production customers to untested software like this?

    >> Weird to see less protection on the beta platform

    Not if you've ever seen teams refactor code in a large codebase. When that occurs, you often lose a lot of the "history" and "memory" of a branch, which often resurfaces bugs, edge cases take care of years ago and new vulnerabilities.

    • Re: (Score:2)

      by halivar ( 535827 )

      I've seen it all the time. You go to rewrite a library or module because it's old and busted, it wasn't sufficiently documented, and you find "joe code" that has you scratching your head. "Why did they do this? This is literally the dumbest way to do this, ever." When your new module hits production, you soon realize why it was just so.

    • Re: (Score:3)

      by KGIII ( 973947 )

      > ... your production customers ...

      There you go again. You seem confused as to who the customer is and, by extension, who gets the prioritized attention and care. (Hint: It's not the people who have 'user' accounts.)

      • Yes that is pretty funny. They were giving their advertisers the opportunity to test that all the advertising and data mining was working.

    • but why would you want to expose your production customers to untested software like this?

      You are not the customer.
      Advertisers are the customer.
      You are the product.

  • And we can go back to using "1234" as our password.

    Nobody will ever guess that.

    • Almost 90% of people do not use that passcode.

      What I don't understand is why so few people use 8068. It's a perfectly good passcode, but it's the least chosen one.

      • Almost 90% of people do not use that passcode.

        What I don't understand is why so few people use 8068. It's a perfectly good passcode, but it's the least chosen one.

        I always use 8077. Better chipset.

  • only $15k? (Score:4, Insightful)

    by Anonymous Coward on Monday March 07, 2016 @02:35PM (#51654347)

    fucking cheapskates.

    ___

    wtf is with capcha treating me like a nigerian prince trying to send webmail? captcha: zmnjwfm

  • This issue also raises

    What did it do first to warrant the use of the world "also"?

    another question

    What was the first question?

  • Problem is password reset itself (Score:4, Insightful)

    by WaffleMonster ( 969671 ) on Monday March 07, 2016 @02:51PM (#51654435)

    Schemes for resetting passwords fundamentally lower the security of the system and almost always rely on insecure transports (Email and SMS).

    At the very least users should be given the option of not allowing any password reset or recovery features to be used in conjunction with their account.

    Rather than conceding to inevitability of forgotten passwords I would rather see sites warn users ahead of time what the consequences are including suggestion to write it down and store it in a safe place.

    --
    From origional descent devs
    http://media.revivalprod.com/O... [revivalprod.com]

    • Password recovery is in itself, an art form.

      One thing I've wondered about is the concept of password recovery providers. Not a central website, since it can get compromised, but different organizations, similar to how OpenID is set up.

      When setting an account with some provider, one chooses a recovery provider or providers, and what methods will be used to get back the account. This way, if someone has their own dedicated VM or device that makes an OATH number, that can be used. Another provider sends an

  • 15K? I would have paid more. That's total account compromise from what I can read. That deserves more, even if the entry point is from the beta platform.
  • They don't know anything about programming and even less about security.

  • A Facebook security problem? I can hardly believe that, seeing as how it's never happened before. *cough*

  • So that's how I ended up in Oregon, checking my Facebook on a Windows machine... Good thing they didn't bruteforce my 2nd factor.

  • It's only me that thinks that it's a really low bounty for such a bug? I mean, relative to the black market price.

Slashdot Top Deals

"What man has done, man can aspire to do." -- Jerry Pournelle, about space flight

Close