Hackers can take control of Facebook accounts without requiring any action from the victim.
Cyber security expert Samip Aryal – who is leading Facebook’s “bounty hunter” list – has just published information about vulnerability security on this social network, allowing hackers to exploit victims’ accounts. The problem was discovered and patched on February 2, but it was only announced publicly after a month (due to security regulations).
According to Aryal, the vulnerability is related to the Facebook password reset process through the optional feature of sending a 6-digit authentication code to another device logged in or pre-registered by the user. This code is used to authenticate the original user and is used to complete the password reset process on a new device (that has never logged in before).
During the process of analyzing the query, he discovered that Facebook sends a fixed authentication code (does not change the sequence of numbers), valid within 2 hours, and has no security measures to prevent attacks. brute-force, a type of intrusion that uses the method of trying all possible password strings to find the correct sequence of characters.
This means that within 2 hours of sending the code, crooks can enter the wrong activation code countless times without encountering any preventive measures from Facebook’s system. Normally, if an incorrect code or password is entered more than a specified number of times, a security system will suspend login rights for the suspicious account.
A period of 2 hours may not be much for ordinary people, but for hackers using support tools, it is completely doable.
The attacker only needs to know the target account’s login name to be able to send a request for a verification code, thereby applying the brute-force method non-stop for 2 hours, until the result is an easy reset. new password takes control and “kicks out” the real owner’s access sessions before anything can be done.
Mr. Vu Ngoc Son, Technology Director of NCS, said that the above form of attack is beyond the user’s ability to prevent and is called a 0-click attack. With this form, hackers can steal the victim’s account without requiring any action from them.
“When this vulnerability is exploited, the victim will receive a notification from Facebook. Therefore, if you suddenly receive a notification from Facebook about password recovery, it is very likely that your account is being attacked, take control,” Mr. Son shared. The expert said that with vulnerabilities like those mentioned, users can only wait for the supplier to patch them.
Facebook is a social network popular in many countries around the world, and users post and store a lot of personal data during use. Therefore, hackers often aim to attack and take control of accounts on the platform to carry out fraudulent scenarios.
Prominent among these is the form of impersonating the victim and contacting relatives in their friends list to ask for a transfer to defraud money. This method, with the support of Deepfake technology to fake video calls, has trapped many people. To create more trust, crooks also buy and sell bank accounts with the same name as the Facebook account holder to easily conduct their scam.
Another form is to hijack and then use the account to send links or files containing malicious code, spreading on social networks. These malicious codes are responsible for attacking and stealing personal information (such as bank account numbers, photos, contacts, messages, and many other types of data stored in the device’s memory) after being activated. on the target machine (the device used by the victim).