Is this a problem in Facebook(Brute-force) /Should Facebook ignore this?
Hey Welcome back to my medium so this is my second write-up. Here I will share what I found on Facebook and facebook ignored it saying it is not a valid security issue. So, after my, before bug got duplicate I became sad and tried harder to find something new. After a lot of research, I was able to find something finally with which I can do brute-force on any random facebook email.
Telling more about this finding I first got to know that in every 10–20min gaps we can try again the password for that random email. Oh, I forget to tell that I found that issue when signing up. After a little more research I found that after the limit is reached from 1 IP we can do that process again from another/new IP without waiting( I mean facebook doesn’t block us from doing our task as it used to do in the login page). I mean by using proxies services we can change the IP to conduct the brute-force without any problem. So without doing further research, I reported it to facebook and after 3 days I got a response from facebook for more data and proof.
Because of some reason, I was not able to response them on that day and on another day I made a video of proof. And after that video proof, they response me again after 4 days saying that “protecting against password collection for users with weak passwords is unfortunately impossible. Even if we disallow multiple login attempts from the same IP (which we do, i.e. the login endpoints do have rate limit that we consider reasonable), it’s trivial for an attacker to use one or more cloud service providers, open proxies, or compromised machines to enumerate passwords for weak accounts. While we might make changes to our login endpoints’ rate limits in the future, we’re comfortable with the limits we have in place today, so this issue is not eligible for a bounty. We will follow up with you on any security bugs or with any further questions we may have.”
I again try to make them clear as I think this is a security issue. So, I again send them a link of the same case Instagram bug write-up. And I received their response after 4 days saying this is not a security issue and I left it.
So, my doubt is that is it a security bug. Wasn’t I able to make facebook clear about it? Should facebook ignore this knowing about it?
Thanks for spending your time reading this write-up. If there is any mistake or if you found me doing something silly then sorry for that I will be improving such things soon.
POC Video:- https://youtu.be/6yhH8I_8ZXA
Upcoming write-up:- Facebook New Account Verification Bypass.
Find Me On:-
See this write-up on:- https://medium.com/@santoshbrl5/da18ac4f700f