(LiveHacking.Com) – Facebook has fixed a serious vulnerability in its password reset mechanism after Sow Ching Shiong, an independent vulnerability researcher, discovered the flaw which allows hackers to change the passwords of accounts they had compromised without knowing the user’s current password.
Normally, an authenticated Facebook user needs to enter their current password when using the change password page. This prevents an unauthorized person from changing the password without the user’s knowledge. However Ching Shiong that it was possible to change a user’s password without knowing the old one by first accessing the URL “https://www.facebook.com/hacked”. This page then automatically redirected to the compromised account recovery page where the previous password was not needed.
Facebook has now addressed this issue and users are prompted to enter their old passwords before setting a new one. Sow Ching Shiong has been added to Facebook’s list of white hats.
“This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report,” wrote Sow Ching Shiong on his blog.