February 29, 2024 at 09:27AM
Meta recently patched a critical vulnerability affecting the Facebook password reset process, as reported by cybersecurity researcher Samip Aryal. The flaw allowed an attacker to exploit a two-hour window to brute-force a unique six-digit code and gain control of an account. Meta’s bug bounty program recognized Aryal’s contribution, but the exact payout remains undisclosed.
The meeting notes outline a critical vulnerability discovered by cybersecurity researcher Samip Aryal, which could have been exploited to take control of any Facebook account. The flaw impacted Facebook’s password reset process, specifically involving a six-digit unique authorization code sent to a different device the user is logged into. The code was active for roughly two hours without brute-force attack protection, making it susceptible to exploitation.
Aryal reported the findings to Meta on January 30, and the issue was promptly patched by February 2. The severity of the flaw positioned it for significant bug bounty rewards from Meta, which offers payouts ranging from $5,000 to $130,000 for account takeover exploits, based on the impacted component and the level of effort required for the exploit. Notably, a zero-click account takeover exploit can earn researchers up to $130,000. While Meta did classify the vulnerability as a zero-click exploit, it appears that Aryal did not receive the maximum bounty.
The immediate action taken by Meta to address the vulnerability and the ongoing trend of similar account takeover exploits in technology platforms underscore the importance of robust security measures and ongoing vigilance against potential threats.