Account Compromise though brute forcing FB disavowed link - Multiple Subdomains
Another bug in Facebook. This time on multiple subdomains of FB are found to be vulnerable to brute forcing. Facebook is not limiting the attempts made to access disavowed page, resulting account take over by brute force. Vulnerability Type : Missing rate limiting or anti automation measures Vulnerable Service : Facebook Disavow Vulnerable URL : https://www.facebook.com/hacked/disavow?u=100007881843952&n=JIjLVAuY Vulnerable Domains : All the following domains are found to be vulnerable with the same flaw. www.facebook.com www.beta.facebook.com m.facebook.com m.beta.facebook.com iphone.facebook.com developers.facebook.com lookaside.facebook.com Attack Scenario : Assume victim has forgot his/her password and used the forgot password feature to reset his/her account password. Now facebook will send a password reset confirmation mail, which contains a link for incase if t...