Skip to content

Penetration Testing Tools

  • Home
  • Apple
  • Google
    • Android
  • Information Security
    • Cyber Security
    • Cybercriminals
    • Data Leak
    • Malware
    • Vulnerability
  • Linux
  • Microsoft
    • Windows
  • Open Source Tool
  • Technology
  • Home
  • Apple
  • Google
    • Android
  • Information Security
    • Cyber Security
    • Cybercriminals
    • Data Leak
    • Malware
    • Vulnerability
  • Linux
  • Microsoft
    • Windows
  • Open Source Tool
  • Technology

Penetration Testing Tools

  • Vulnerability

Researcher Details 0-Click Facebook Account Takeover Vulnerability

by ddos · March 6, 2024

Nepalese cybersecurity researcher Samip Aryal made history by identifying a vulnerability in Facebook’s password reset system that allowed a malefactor to seize any account without any action from the victim.

Aryal’s discovery not only earned him an unprecedented reward from the company but also secured him a top position in Facebook’s Hall of Fame among white-hat hackers for the year 2024. The amount of the reward, however, remains undisclosed.

Aryal revealed that Facebook’s password reset feature lacked a limit on the number of attempts to request a code, enabling attacks without user intervention. An attacker could initiate a password reset request and brute-force the six-digit security code.

Aryal’s investigation demonstrated that when resetting passwords through Android Studio, users were prompted to receive a security code via a Facebook notification. Remarkably, the code remained valid for two hours, even after multiple unsuccessful entry attempts. Aryal noted that, unlike SMS-based resets, the code was not invalidated after several erroneous attempts.

By employing brute-force methods, Aryal managed to test all possible code combinations within an hour, uncovering a vulnerability that allowed the code to be displayed directly in the notification without needing to click on it. Aryal reported the flaw to Facebook on January 30, 2024, and by February 2, the issue had been resolved.

Share

Tags: 0-Click Facebook Account TakeoverFacebook Account Takeover

Follow:

  • Next story ChatGPT Users Hacked: Credentials Sold on Dark Web
  • Previous story CVE-2024-27198 and CVE-2024-27199: Critical Security Flaws Affecting TeamCity On-Premises

Search

MAKE THE WEBSITE ONLINE

  • Popular Posts
  • Tags
  • Blind Eagle

    Cybercriminals

    Blind Eagle’s Expanding Cyber Campaigns: Five Clusters Targeting Colombia’s Government and Beyond

    August 29, 2025

  • CISA D-Link Vulnerabilities PaperCut Vulnerability

    Vulnerability

    PaperCut NG/MF Vulnerability (CVE-2023-2533) Under Active Exploitation, Allows Remote Code Execution

    July 30, 2025

  • GNU C Library

    Linux

    Glibc 2.42 Released: New Features, Intel CPU Detection & SFrame Support for Linux

    July 31, 2025

  • UK Online Safety Act CVE-2023-49606 ExpressVPN Vulnerability

    Technology

    UK Online Safety Act Backfires: VPN Demand Skyrockets 1,800% as Users Bypass Age Verification

    July 31, 2025

  • Zeppelin ToolShell Chain Iran Cyber Threat UK Retail Cyberattack, CMC Financial Impact Indonesia spyware

    Vulnerability

    ToolShell: Microsoft SharePoint Zero-Day Chain Actively Exploited Globally – Auth Bypass & RCE Confirmed

    July 31, 2025

  • AI AMD Android Apple ARM Artificial intelligence Asus ChatGPT chrome cryptocurrency cyberattack cybercrime cybersecurity data breach facebook Firefox Github google Google Chrome Huawei Intel LG Linux Linux Kernel malware MediaTek Microsoft microsoft edge Nvidia OpenAI open source phishing privacy Qualcomm ransomware RCE Samsung Social Engineering Sony TSMC vulnerability windows Windows 10 Windows 11 Xbox




Reward

Brilliantly

SAFE!

meterpreter.org

Content & Links

Verified by Sur.ly

2022

  • Home
  • About Us
  • Contact Us
  • DMCA NOTICE
  • Privacy Policy

Penetration Testing Tools © 2025. All Rights Reserved.