Monday, 27 November 2017

Every time a user is requesting for password change using "Forgot Password" link, Facebook is generating same OTP.

Recently I observed that the same OTP is emailed to Me every time I request for password change using "Forgot Password" link.

The OTP is only getting changed if it is used.


Attack Vector'sà


·        Brute-force AttackThough the risk level of this issue is low, still an attacker has an advantage if he will try to brute force the OTP (he can try different OTP's 15-20 times a day for many days)

·         Social Engineering- Attacker can try to get access to the victim’s email account to get the OTP.

This issue also can be exploited in combination with other flaws.


As per Facebook this attack scenario is not feasible.


No comments:

Post a Comment

Basics of Blockchain, Bitcoin, Cryptocurrency, Mining. Security in Blockchain and possible attacks against Blockchain? Use of Blockchain in Real life?

·        Blockchain What is Blockchain? Definition à   Blockchain is a consensus based secure Decentralized Public Database ...