Slashdot Mirror
Facebook Fixes Bug That Allowed Users To Set Other Users' Passwords
An anonymous reader writes: Facebook has paid $15,000 (€13,600) to an independent security researcher who discovered a simple way of resetting passwords for other people's Facebook accounts, setting a new passphrase and effectively taking over profiles.
The problem was in the fact that Facebook also runs a Beta platform on beta.facebook.com. This platform's "reset password" feature did not include brute-force protection and allowed anyone to guess the six-digit verification code sent to someone's phone when resetting the password. This issue also raises another question: How many unsafe features are on Facebook's beta platform that have not been patched simultaneously with the main platform?
The problem was in the fact that Facebook also runs a Beta platform on beta.facebook.com. This platform's "reset password" feature did not include brute-force protection and allowed anyone to guess the six-digit verification code sent to someone's phone when resetting the password. This issue also raises another question: How many unsafe features are on Facebook's beta platform that have not been patched simultaneously with the main platform?
I could see having a per-account switch to "allow me to use my account in beta" (default = OFF) for developers who want to play with this stuff, but why would you want to expose your production customers to untested software like this?
>> Weird to see less protection on the beta platform
Not if you've ever seen teams refactor code in a large codebase. When that occurs, you often lose a lot of the "history" and "memory" of a branch, which often resurfaces bugs, edge cases take care of years ago and new vulnerabilities.