Facebook had a Venerability that could allow anyone to easily get your password.

Recently Anand Prakash wrote on his blog that he had found a Venerability on Facebook that would allow a hacker to bruit force any users password reset code.  Meaning, if a person requested a new password, Facebook would send a code to your phone.  The attacker would then use the Facebook bata site to cycle through every possible code till they found yours and changed your password.  Anand is one of the good guys.  He reported it to Facebook and they patched it.  There is no evidence that I am aware of that suggests that anyone but Anand had figured this out.  However, if at some point your Facebook was hacked shortly after getting a random password reset notification.  This might be how.  Anand writes about this in detail on his blog found here.

Leave a Reply