Researcher Details 0-Click Facebook Account Takeover Vulnerability

Nepalese cybersecurity researcher Samip Aryal made history by identifying a vulnerability in Facebook’s password reset system that allowed a malefactor to seize any account without any action from the victim.

Aryal’s discovery not only earned him an unprecedented reward from the company but also secured him a top position in Facebook’s Hall of Fame among white-hat hackers for the year 2024. The amount of the reward, however, remains undisclosed.

Aryal revealed that Facebook’s password reset feature lacked a limit on the number of attempts to request a code, enabling attacks without user intervention. An attacker could initiate a password reset request and brute-force the six-digit security code.

Aryal’s investigation demonstrated that when resetting passwords through Android Studio, users were prompted to receive a security code via a Facebook notification. Remarkably, the code remained valid for two hours, even after multiple unsuccessful entry attempts. Aryal noted that, unlike SMS-based resets, the code was not invalidated after several erroneous attempts.

By employing brute-force methods, Aryal managed to test all possible code combinations within an hour, uncovering a vulnerability that allowed the code to be displayed directly in the notification without needing to click on it. Aryal reported the flaw to Facebook on January 30, 2024, and by February 2, the issue had been resolved.