A critical zero-click exploit uncovered by a seasoned bounty hunter hacker, ranked number one in the Facebook Hall of Fame 2024, could have enabled hackers to take over any Facebook account. Samip Aryal, a bug bounty hunter from Nepal, has published details of how they found a vulnerability in Facebook’s password reset system that would allow an attacker to compromise any Facebook account. The zero-click exploit earned Aryal his highest bounty so far although the precise amount has not been disclosed.
In a blog posting describing the exploit on Medium, Aryal describes the zero-click vulnerability as a “rate-limiting issue in a specific endpoint of Facebook’s password reset flow that could’ve allowed the takeover of any Facebook account by brute-forcing a particular type of nonce.” The Wikipedia definition of a cryptographic nonce is “an arbitrary number that can be used just once in a cryptographic communication.”
Aryal explains that by uninstalling and re-installing different versions of Facebook for Android, critically by using “different user-agents to see the server’s responses on each of the login pages,” a password reset notification to send a login code popped up. This piqued Aryal’s interest enough for him to begin testing for three reasons: