change password of a active user -without knowing original password - security bug - Facebook allows to change password in active login without entering current password
This might (not) be a security bug in Facebook. And probably be fixed by Facebook when you tried to do the same, because I am going to report this to Facebook.
All the steps below that I am going to share - deals with changing someone else’s password without entering their previous/current password. I have never seen or write code for “login preference change” that allows to change password without entering previous password or other information. I was shocked to know that Facebook allows it. I was just playing with Security option in Facebook’s Account setting https://www.facebook.com/settings. And found that.
Steps that I followed :
- Go to Facebook’s Account setting https://www.facebook.com/settings and choose Security. And then choose “Deactivate your account”.
- Choose “My account was hacked” and click “here”.
|why there is option "My account was hacked" ?|
- Continue --> Continue.
- Here is the odd thing. No input text field for Old password.
|Facebook allows to change password in active login without entering current password|
- And then you will see following screens. Continue --> Continue.
Some thoughts :
If a user’s account was really hacked then they wouldn’t be able to login and see this screen. This screen/option can be accessed by a genuine user, then isn’t this option “My account was hacked” odd? What is the actual purpose of this option?
Consider a situation like this – you logged in into FB account from a PC and forget to logout. Then anyone can change their password and misuse.
This wouldn't be a big problem because Once the genuine user knows that someone else had changed their password, they won't lose their account, they can still reset their password. I just don’t know why they put “My account was hacked” option in “Deactivate your account”. This option is completely useless.