facebook security bug - change password of a active user - without knowing original password

change password of a active user -without knowing original password - security bug - Facebook allows to change password in active login without entering current password

As of May 2012, Facebook has over 900 million active users. Security and privacy should be the number one concern of Facebook Inc. But I just found one BUG in Facebook security system.

This might (not) be a security bug in Facebook. And probably be fixed by Facebook when you tried to do the same, because I am going to report this to Facebook.

All the steps below that I am going to share - deals with changing someone else’s password without entering their previous/current password. I have never seen or write code for “login preference change” that allows to change password without entering previous password or other information.  I was shocked to know that Facebook allows it. I was just playing with Security option in Facebook’s Account setting https://www.facebook.com/settings. And found that.

Steps that I followed :

  • Go to Facebook’s Account setting https://www.facebook.com/settings and choose Security. And then choose “Deactivate your account”.

  • Choose “My account was hacked” and click “here”.
why there is option "My account was hacked" ?
  • Continue --> Continue.

  • Here is the odd thing. No input text field for Old password. 
Facebook allows to change password in active login without entering current password
  • And then you will see following screens.  Continue --> Continue.
 

Some thoughts : 

If a user’s account was really hacked then they wouldn’t be able to login and see this screen. This screen/option can be accessed by a genuine user, then isn’t this option “My account was hacked” odd? What is the actual purpose of this option?

Consider a situation like this – you logged in into FB account from a PC and forget to logout. Then anyone can change their password and misuse.
This wouldn't be a big problem because Once the genuine user knows that someone else had changed their password, they won't lose their account, they can still reset their password. I just don’t know why they put “My account was hacked” option in “Deactivate your account”. This option is completely useless.

2 comments :

  1. bibashMay 30, 2012 at 10:17 AM

    tyo DEACTIVATE garne thau samma jana lai ni ta ek palta login garna paryo ni!!!

    ani kasari hack bho ta?

    ReplyDelete
    Replies
    1. AnonymousMay 30, 2012 at 11:41 AM

      Consider a situation like this – you logged in into FB account from a PC and forget to logout. Then anyone can change their password and misuse.
      This option is completely useless.

      Delete

Your Comment and Question will help to make this blog better...

Subscribe to: Post Comments ( Atom )