Facebook has patched a leak that allowed malicious people to take over accounts. The method combined two bugs where the user ID was extracted and the verification code obtained via bruteforce. The discoverer was paid $40,000.
The platform doesn’t provide much detail about the bugs, but says that before the first bug, users only needed an email address or a phone number to find out the user ID. They were then able to reset the password of an account by bruteforce the verification code that validates a phone number. Then they could take over an account, writes Facebook’s Bug Bounty account.
This method no longer works, according to Facebook, although the company does not indicate whether it has fixed both bugs or not. Facebook says it has no indications that this method has been abused in practice.
In addition to the account takeover method, Facebook has fixed a bug that made phone numbers and email addresses visible to more users than they should have. When users enter new phone numbers and email addresses into Facebook, the default setting was that they would only be visible to the user themselves.
In practice, however, it turned out that Facebook friends could also view this data, contrary to what the default setting indicated. Facebook says it has fixed this error. Phone numbers and email addresses now added in Facebook will only be shown to the user by default. Also, previous data added under the default setting will no longer be displayed to Facebook friends.
Facebook also says it has implemented a fix at several Facebook services that should prevent such default setting problems in the future. The platform says it has no evidence that the incorrectly displayed personal data was stolen via scraping. The security researcher who raised this issue was awarded $15,000 from the platform.
Furthermore, the platform has introduced a new policy around bugs that reveal contact information that should only be known to the user or friends. By contact information, Facebook refers to data such as telephone numbers and e-mail addresses. As of now, researchers will receive up to $10,000 as a reward for reporting such bugs. The exact amount depends on, among other things, how easy the leak is to abuse and whether it concerns consumers or companies. In the case of companies, the reward is lower, as this data is more likely to be publicly available or gamble, according to Facebook.