Another major security flaw on Facebook that allows you to bypass password & then security question of your friend and reset the password with the help of 2 more mutual friends has been discovered.
The flaw is actually a feature that can be easily abused to hack your friends Facebook account by going through the password reset process.
This hidden password reset feature allows you to bypass the security question (which is asked on password reset page) and reset the password with the help of 3 friends (possibly your fake accounts).
Note: If you haven’t set your security question yet, then please do not bother to set any because it’s useless. The most important thing you got to do now is “register your mobile” on Facebook if you haven’t yet. If you have had already chosen your security question, then please read this post carefully to know how you can protect yourself from this attack.
Also See: How to hack Facebook password
Everyone knows that most of the websites prompt their users to select a security question so that in case you forget your password, you can easily reset it. However, when it comes to Facebook, things can become worse if you have set your security question.
Recently I was just playing with Facebook’s password reset process and just found out that there is a secret way to Bypass Facebook’s Security Question and get straight to the password reset process.
Go to Facebook’s forgot password page and enter your friend’s email or Full name to search his/her linked account.
Facebook will now search for an appropriate account that is associated with the information you provided. Select your account and click “This is my account”.
Next Facebook will present to you the available options to recover your account.
Now click “No longer have access to these?” and Facebook will now ask for a new email address so that it can send you messages regarding recovering of the account password.
Enter the email address and click submit and as expected there is also another layer of security called “Security Question”.
Now here comes the critical vulnerability. Interestingly If you type-in wrong answers three times in a row, you can Just bypass this layer of security and you will see another interesting way to reset account password with the help of 3 friends.
As you can see above there are three steps involved in the recovery process. First, you will have to select 3 trusted friends for the help (If you are trying to hack your friend’s password, then you may select yourself and 2 more friends).
please select Trusted Friends only because any of the Friend can potentially gain access to your friends Facebook account through standard password recovery Process.
Once you select 3 trusted friends of yours, Facebook will then email secret security codes to each of your selected Friends. Now your job is to call your friends and get the 3 security codes.
Once you collect the 3 security code, enter them one by one in step 3. Finally, Facebook will then allow you to reset your password through the standard email recovery process.
Important: Note that the victim’s account will be locked for 24 hours after this password change and also the user’s old email address will receive a notification of the password change including the names of the 3 friends who were involved in this password change. Yes, you guessed it right, you could also create 3 fake profiles and add them to your victim’s friends list first and then carry out this hacking process.
How do I protect myself from this Attack?
As you can see we easily bypassed Facebook’s security question, There is no use of setting any security question. If you haven’t selected any security question on Facebook, Just sit back and hang loose, don’t bother to set any. Just register your mobile on Facebook.
Its Important that you Register your Mobile on Facebook.
Unfortunately, it is not possible to update or remove your account’s security question once you have added one. So, guys If you have had already added security question in your Account Settings, You are at Risk. So to avoid this attack, you will need to update your ‘Account Security’ In Account Settings.
- Go to Account Settings and click ‘Account Security’. You will see the below options:
- Check all the three options. When you check the third option called “Login Approvals”, Facebook will then add another level of security to your account. ‘Login approvals’ is a security feature that requires you to enter a code that Facebook will text to your phone when you log in from an unrecognized computer
- Never befriend or accept friend requests from people you don’t know.
- If by chance anybody resets your password through this attack, your email address will receive a notification of the password change including the names of the 3 friends who were involved in the password change. You will then have only 24hrs to act on it, So always Check your email every day.
- In case if your planning to go for a vacation, never update your status saying you “I will be offline for some days” or similar to that. Your vacation is enough for a hacker to compromise your account.
Do share this post with your friends and make them aware of this vulnerability!