Dan Melamed flagged a vulnerability through which an attacker lures a victim to a website link, which once clicked allows the attacker to reset the victim’s password.
The researcher pointed out a flaw in the ‘claim email address’ component, with Facebook not checking where the request came from and allowing an email to be claimed on any account.
“The victim does not receive any notification whatsoever that this email has been added,” Melamed said. “The hacker can then reset the victim's password using the newly added email address. Thus allowing the attacker to take complete control over the Facebook account.”
Facebook has confirmed that it has patched the vulnerability.