On January 30, 2024, Nepal Cybersecurity Researcher Samip Aryal made history by uncovering a vulnerability in Facebook’s password reset system. This flaw allowed attackers to seize any account without any action required from the victim.
Aryal’s discovery not only earned him a substantial reward from the company, but also catapulted him to the highest position of glory among white hat hackers in Facebook for the year of 2024. The exact amount of the reward remains undisclosed.
By exploiting a loophole in Facebook’s password reset function, Aryal found that there was no limit on the number of attempts an attacker could make to request a security code. This oversight enabled attacks to be carried out without the user’s involvement, as the attacker could simply request a code and choose a 6-digit security code.
In his study, Aryal demonstrated that when resetting a password through Android Studio, users were prompted to obtain a security code via a Facebook notification. This code remained valid for 2 hours, even after unsuccessful attempts to input it. Unlike the SMS reset method, the code was not invalidated after multiple incorrect tries.
Depending on the user, the security code could be revealed either in the notification itself (Zero Click) or after clicking on the notification (One Click). Utilizing the Bubbors method, Aryal was able to test all possible code combinations in an hour, ultimately exposing the vulnerability that allowed the code to be displayed in the notification without the need for interaction.
Aryal promptly reported the Facebook flaw on January 30, 2024, and by February 2, the issue had been resolved.