Serious vulnerability helps hackers attack Facebook accounts without the victim's actions

The problem was discovered and patched on February 2, but was only announced now due to security regulations.

The vulnerability is related to the Facebook password reset process through the optional feature of sending authentication codes. This 6-digit code is sent to another device logged in or pre-registered by the user to authenticate the original user and is used to complete the password reset process on a new device.

According to Samip Aryal's findings, Facebook sends a fixed authentication code (does not change the number sequence), is valid within 2 hours and has no security measures.

This means that crooks can enter the wrong activation code countless times within 2 hours of sending the code without encountering any preventive measures from Facebook's system. Normally, the security system will suspend login rights if the wrong code or password is entered more than the specified number of times.

Hackers can use 2 hours to steal user accounts.

This is a 0-click attack, hackers can steal the victim's account without any action from them.

When this vulnerability is exploited, Facebook will send a password recovery notification to the victim. Therefore, if you receive this message, it is likely that your account is being attacked or hijacked.