On Monday, Sow Ching Shiong found a way to hack and change another Facebook users’ password in the same simple and easy manner as you would change your own.
Shiong, an independent vulnerability researcher, discovered a Password Reset Vulnerability in the giant social network which he was able to exploit and bypass certain security restrictions on the platform.
Normally if you want to change your Facebook password you are required to enter your current password on the “Change password” page. This security measure is there to prevent an unauthorized person from changing the password of another user without the user’s knowledge.
However, Shiong found that on Monday he could change another user’s password without knowing the current one by accessing https://www.facebook.com/hacked directly. Once opened in a web browser the page, according to Shiong, was redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked.
The vulnerability researcher then noticed the URL of the redirected Facebook page had a parameter called “f”, which represents a user’s id. He then replaced his user ID with that of another person in URL and he was able to continue to the next page in the password reset process which allowed him to reset the said user’s password without knowing their previous one.
Shiong alerted the Facebook Security Team who acknowledged the vulnerability and quickly patched it to avoid anyone using it further.