Facebook is a social networking giant, And you might have thought how you can hack your friends, Brothers or anyone’s Facebook id. But it is not easy, right? Because Facebook is a multi-national company they provide high security. What if I tell you that there is a guy who can hack facebook? Well now you might be wondering we all have heard about this, But he is different because he can hack not only one facebook account but he can hack several at a time. Know everything about him below.
According to google records How to hack Facebook is one of the most searched things of all time. A Hacker from California has found the gaping hole in the password resetting system of facebook. And he somehow hacked a couple of accounts, Also he was capable of hacking any account back then.
A guy from California named Gurkirat Singh has finally discovered a way to hack facebook after a lot of research on the system. So know he can access anyone’s profile using a security flaw with the help of password resetting mechanism of the Facebook. Basically, Facebook uses an algorithm which helps to generate a 6- digit random passcode and that is considered as 10⁶ = 1,000,000 are the maximum possible combinations. He explained about this, with his trick.
Gurkirat explains in a blog, “That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 people to request a code will get a passcode that someone from the batch has already been assigned”.
So according to Gurkirat, He thinks that there could be more than 1,000,000 users so Facebook should keep a duplicate code which could be helpful if more than 1 million people are trying to reset passcode.Gurkirat Singh found a way to send million passcode change requests to Facebook. because more than 1 people can have the same passcode.
Now to send too many requests you need to have many ips. So in his case, he just used a proxy server that is listed to HTTP requests. He told that he assigned a random IP to each request so that by this way we won’t get detected. Also, he used a multithreaded script in order to keep user behavior when the process is running. How this works is, The script will create a passcode to every user in JSON file which is created earlier. Then the script will be run by him.
So after performing all the above steps a 6-digit passcode should be matched using Brute force technique. He added ID to key ‘U’ so when the passcode is matched to the key ‘n’ it will be in the URL www.beta.facebook.com/recover/password?u=…&n=… by Doing, the steps returned a match result.
Here is the thing once this all steps were done, then Singh added the matched passcode to the URL and then redirected to the password reset page. Also, he immediately informed facebook. But something different happened Facebook security engineers then designed this as a low priority risk and then awarded a token of $500 of bug bounty.
