Another major security flaw on Facebook: Allows you to Bypass Security Question of your Friend and Reset the password with the Help of 2 Mutual Friends. That is once you Bypass the Security Question, Facebook will then ask you to Verify your Account with the help of 3 Friends.
Everyone knows that most of the websites prompt their users to select security question, so that in case you forget your password, you can easily reset it. But when it comes to Facebook, things can become worst if you have selected your security question. Recently i was just playing with Facebook password reset process and just found that there is a easy way to Bypass Facebook’s Security Question. Here’s how:
Go to Facebook’s Forgot password page and enter any of the details of your Friend and click search. Facebook will now search appropriate account that is associated with the information you provided. Select you account and Click “This is My Account”. Next Facebook will present to you the available options to recover your account.
Now Click “No Longer have access to these?” and Facebook will now ask for New email addresse, so that it can send you messages about recovering your account. Enter the New email address and click Submit and as expected there is also another level of security called “Security Question”. Now here comes the Critical vulnerability.. Interestingly If you Provide wrong answers three times in a row, you will Just Bypass this level of security and Facebook will now provide another interesting way to get back your account with the help of 3 friends.
As you can see above there are Three Steps involved in the the recovery process. First you will have to select 3 Trusted Friends for the help (If you are trying to hack your friends password, then you may select yourself and 2 more friends).
Note: please select Trusted Friends only because any of the Friend can potentially gain access to your friends Facebook account through standard password recovery Process.
Once you Select 3 Trusted Friends of yours, Facebook will then email Security codes to each of your selected Friends. Now your Job is to call your Friends and Get the 3 Security codes. Once you collect the 3 security code, enter them one by one in step 3. Finally Facebook will then allow you to reset your password through standard email recovery process.
Important: Note that The Victims account will be locked for 24 hours after this password change and also the user’s old email address will receive a notification of the password change including the names of the 3 friends who were involved in this password change. Yes you guessed it right, you could also create 3 fake profiles and add them to your victims friends list first and then carry out this hacking Process.
How do i Protect Myself from This Attack ?
As you can see we easily Bypassed Facebook’s Security Question, There is No use of setting any security Question. If you haven’t Selected any Security Question on Facebook, Just sit back and hang loose , don’t Bother to set any. Just Register your Mobile on Facebook.
Its Important that you Register your Mobile on Facebook.
Unfortunately it is not possible to update or Remove your account’s security question once you have added one. So guys If you have had already added Security Question in your Account Settings, You are at Risk. So to avoid this attack, you will need to Update your ‘Account Security‘ In Account Settings.
- Go to Account Settings and Click ‘Account Security‘. You will See the Below Options:
- Check all the Three options. When you check the third option called “Login Approvals”, Facebook will then add another level of Security to your account. ‘Login approvals’ is a security feature that requires you to enter a code that Facebook will text to your phone when you log in from an unrecognized computer
- Never Friend or Accept friend requests from people you don’t know.
- If by chance anybody resets your password through this attack, your email address will receive a notification of the password change including the names of the 3 friends who were involved in the password change. You will then have only 24hrs to act on it, So Always Check you email everyday.
- In case if your planning to go for a vacation, Never Update your Status saying you “I will be offline for some days” or similar to that. Your vacation is enough for a hacker to compromise your account.
Do Share this Post with your Friends and Make them Aware of this vulnerability!