on Friday, February 24, 2017



When a new Facebook account is created a verification code is sent to the email of the user to confirm their identity. Email contains an option to disavow the confirmation link in case the email was misused or used by someone else to create an account.

The link behind "Didn't sign up for Facebook?" have a confirmation code in it, which is a 5 digit code :





The parameter "c" could be bruteforced by an attacker to find the right confirmation code and disable someone's unverified Facebook account. 

Facebook fixed this after it was reported to the security team.



Report sent : 29 Aug 2014
Escalation : 29 Aug 2014
Fix : 23 October 2014
Bounty awarded : 23 October 2014
Powered by HackTheCops. Powered by Blogger.