Risk Inside Facebook and Twitter Best Practice - Lack of Password Confirmation

There are many websites including Facebook and Twitter that are missing best practices. Lack of Password confirmation allows intruders to easily takeover the users account completely.

When any user wants to change the password, current password is asked for proceeding the request and for security purpose. This should also be implemented on other sensitive actions like email, phone no. and account deletion.

If any unauthorized user or hacker access your account through anyway like session hijacking or by exploiting XSS or CSRF attack then he can easily change your password and takeover the account completely.

So, the current password field is necessary because it prevents any unauthorized user from changing the email and password.

Facebook prevents this by asking current password when changing email and password but it's still possible to change the password without knowing current password.

It's very simple. Just add your mobile number then using 'forgot password' feature, reset the password.
So, without knowing current password we can change the password and completely takeover the facebook user account.

So, password confirmation should also be implemented on mobile phone number.

The same bug also exist in Twitter. We can change twitter user password through Mobile phone number without knowing current password.

Another bug, when we change Email on Twitter, twitter asks current password but we can bypass this, in twitter subdomain ie mobile.twitter.com.
Try to change the email in mobile.twitter.com. Without knowing current password it's possible to change the email then we can easily reset the password through new email.

So, don't left your account open in any public place or anywhere because if anyone or any hacker access that device and the account then he can easily reset your account password and delete or completely takeover the account.


Popular posts from this blog

XSS like a Pro

Email Spoofing for Beginners

DoS on WAF Protected Sites by Abusing Cookie