This hack is a vulnerability on Facebook’s Password Reset feature. It was found by a Bengaluru-based hacker – Anand Prakash and was rewarded $15,000 by Facebook.
Just to be clear, this hack doesn’t work anymore but if you want to learn hacking and explore the horizons of your knowledge then this article will help you a lot!
Whenever a user forgets his or her password on Facebook, he/she has an option to reset the password by entering his/her phone number/email address. Facebook will theb send a 6 digit code to their phone number or email address. Once the user puts the 6 digit code he/she will be able to set a new password.
Now here’s the main part! We’ll try to bruteforce the 6 digit code which means we’ll try each individual 6 digit numbers i.e. from 000000-99999.
If you try brute-forcing now, you'll get blocked after 10-12 invalid attempts. Like I said, this method doesn't work anymore.
The only hacking tool we’ll need is Burp suite. You can download Burp Suite from here.
If you want to get into web application hacking, then Burp Suite is a must have tool!
Burp Suite in itself is a huge topic which will need it’s own tutorial. Hence, if you aren’t familiar with Burp Suite, I suggest you first get your hands on it. There are plenty of tutorials on the internet. A basic idea of Burp Suite is enough to understand this hack.
If you know how to use Burp Suite then you already know the methods. However, for beginners who are interested here’s what we’re doing.
We’ll enter a random 6-digit number and capture the request with Burp Suite. After that we’ll try to brute force the 6-digit number and finally get the valid code sent by Facebook. Once we’ve the 6-digit code, we’ll have full access to the victim’s account.