2

Based on this and this articles, the writer claims to be able to compromise about 2 millions accounts by using reset code feature, and brute forcing the 6-digits reset code.

I have to main questions about that regardless of the truth about the attack:

  • Is making the reset code much bigger will help resolving the problem, or Facebook will need a new reset technology?
  • How to defend from this attack, should I reset it again after I receive the reset message from the attacking process, or should I reset via mail?

Edit:

Credit: @Dog eat cat world.

Just to clarify the problem,the attacker instead of bruteforcing users with a certain reset code, he's bruteforcing the code to a large scale users.

Eibo
  • 2,485
  • 3
  • 19
  • 32
  • Length will increase entropy, so yes. Facebook can (and to my knowledge they do) limit the time between request and total number of failed attempts. – Yorick de Wid Sep 08 '16 at 08:45
  • This bug reminds me of: http://www.theverge.com/2016/3/8/11179926/facebook-account-security-flaw-bug-bounty-payout Instead of bruteforcing users with a certain pin, it allowed you to bruteforce the pin to a certain user. – Dog eat cat world Sep 08 '16 at 08:46
  • It's not many failed attempts to one account, he's testing some code on a large users scale. – Eibo Sep 08 '16 at 08:47

1 Answers1

2

The weakness here the lack of Entropy in the password reset code.

I mean that you choose a random 6 digit number(338625), and try it against many users. So the attacker has to guess a reset code from 10^6 possibilities.At some point it may work.

Calculation: Since Facebook has a large user base and receives large number password reset requests say 10000 (10^4) in 3 minutes before they expire , which is comparable to 10^6.

The probability that this password rest code is valid against some user is 0.01 .

Is making the reset code much bigger will help resolving the problem, or Facebook will need a new reset technology?

Facebook can simply fix it by increasing the entropy of password reset code. This can be done easily by :

  • Having Alphabets( [A-Z|a-z]- 52),Digits( 0-9-10),Special characters(say 10 ) in the password reset code.
  • Having a good length of say 10 characters (Answer by Rоry McCune).

Calculation: For a reset code of length of 6,the attacker now have to guess a reset code among (52+10+10)^6 .

The probability that this reset code randomly chosen by attacker matches a valid password reset code among the above 10^4 is 0.000000071 or 7.1*10^-8. Instead of doing this, the attacker have better chances of guessing password itself and trying it against many users.

How to defend from this attack, should I reset it again after I receive the reset message from the attacking process, or should I reset via mail?

I think efforts to secure against this attack should come from Facebook.

Since, users may not look in to the reset message/email as soon as it arrives. From user point of view all i can think is of enabling Two Factor Authentication.

Community
  • 1
Sravan
  • 1,158
  • 5
  • 14