Skip to content

Information Security News

  • Home
  • Cyber Security
  • Cybercriminals
  • Data Leak
  • Google
    • Android
  • Information Security
  • Linux
  • Malware
  • Microsoft
    • Windows
  • Open Source Tool
  • Vulnerability
  • Technology

Information Security News

  • Home
  • Cyber Security
  • Cybercriminals
  • Data Leak
  • Google
    • Android
  • Information Security
  • Linux
  • Malware
  • Microsoft
    • Windows
  • Open Source Tool
  • Vulnerability
  • Technology
  • Vulnerability

Researcher Details 0-Click Facebook Account Takeover Vulnerability

by Nam Phong · March 6, 2024

Nepalese cybersecurity researcher Samip Aryal made history by identifying a vulnerability in Facebook’s password reset system that allowed a malefactor to seize any account without any action from the victim.

Aryal’s discovery not only earned him an unprecedented reward from the company but also secured him a top position in Facebook’s Hall of Fame among white-hat hackers for the year 2024. The amount of the reward, however, remains undisclosed.

Aryal revealed that Facebook’s password reset feature lacked a limit on the number of attempts to request a code, enabling attacks without user intervention. An attacker could initiate a password reset request and brute-force the six-digit security code.

Aryal’s investigation demonstrated that when resetting passwords through Android Studio, users were prompted to receive a security code via a Facebook notification. Remarkably, the code remained valid for two hours, even after multiple unsuccessful entry attempts. Aryal noted that, unlike SMS-based resets, the code was not invalidated after several erroneous attempts.

By employing brute-force methods, Aryal managed to test all possible code combinations within an hour, uncovering a vulnerability that allowed the code to be displayed directly in the notification without needing to click on it. Aryal reported the flaw to Facebook on January 30, 2024, and by February 2, the issue had been resolved.

Related coverage

  • The GhostCommit Vulnerability: AI Assistants Weaponized via Images
  • CVE-2026-0288: PAN-OS TSA Buffer Overflows Score CVSS 9.2
  • IonStack: Android 17 Two-Bug Chain Disclosed by Nebula Security
  • CrowdStrike Exposes New Prompt Injection Techniques
  • Adobe ColdFusion Critical Vulnerabilities Patched

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags: 0-Click Facebook Account TakeoverFacebook Account Takeover

Follow:

  • Next story ChatGPT Users Hacked: Credentials Sold on Dark Web
  • Previous story CVE-2024-27198 and CVE-2024-27199: Critical Security Flaws Affecting TeamCity On-Premises

  • Recent Posts
  • Popular Posts
  • Tags
  • GhostCommit AI vulnerability diagram illustrating prompt injection against AI coding assistants

    Vulnerability

    The GhostCommit Vulnerability: AI Assistants Weaponized via Images

    July 14, 2026

  • Critical Joomla extension vulnerabilities diagram, iCagenda and Balbooa Forms exploit overview

    Malware

    Critical Joomla Extension Vulnerabilities Actively Exploited

    July 14, 2026

  • Debian 13.6 point release updates with UEFI Secure Boot and Linux kernel patches

    Linux

    Debian 13.6 Released: Crucial Security and UEFI Fixes

    July 14, 2026

  • Interpol Operation First Light 2026 global fraud bust 5811 arrests 293 million dollars seized

    Cybercriminals

    Operation First Light 2026: 5,811 Arrested in Global Fraud Bust

    July 13, 2026

  • Ransomware negotiator Angelo Martino sentenced 70 months for betraying clients to BlackCat ALPHV

    Malware

    Ransomware Negotiator Sentenced for Betraying Clients to BlackCat

    July 13, 2026

  • Apache Camel vulnerabilities enabling server-side request forgery and authentication bypass in JMS and WebSocket connectors

    Vulnerability

    Apache Camel Patches Five High-Severity Vulnerabilities

    July 9, 2026

  • OpenSUSE Leap 15.4 Beta releases, Linux distributions

    Linux

    OpenSUSE Leap 15.4 Beta releases, Linux distributions

    May 30, 2020

  • Ubuntu 16.04.6 LTS released: fix security vulnerabilities

    Linux

    Ubuntu 16.04.6 LTS released: fix security vulnerabilities

    March 1, 2019

  • GhostBSD 23.10.1 released, FreeBSD distribution

    Linux

    GhostBSD 23.10.1 released, FreeBSD distribution

    May 1, 2020

  • Solus 4.4 Fortitude releases, Linux distribution

    Linux

    Solus 4.4 Fortitude releases, Linux distribution

    January 26, 2020

  • AI AI security Android Apple APT BOTNET China CISA cloud security cryptocurrency cyberattack cybercrime Cyber Espionage cybersecurity Cybersecurity 2026 data breach Github google hacking Infosec InfoSec 2026 Infostealer Linux Linux Kernel malware Microsoft network security open source Penetration Testing phishing privacy privilege escalation Prompt Injection ransomware RCE remote code execution security Social Engineering supply chain attack Tech News 2026 threat intelligence vulnerability windows Windows 11 zero-day
  • Home
  • About Us
  • Contact Us
  • DMCA NOTICE
  • Privacy Policy

Information Security News © 2026. All Rights Reserved.

Powered by  - Designed with Hueman Pro