Facebook’s Password Reset Flaw: Bypass Password & Security Question!

Another major security flaw on Facebook that allows users to bypass the security question of any Facebook account and reset the password with the help of 3 friends has been discovered.

In case you want to reset your password and you don’t remember the security question, this hidden password reset feature allows you to bypass the security question (which is asked on the password reset page) and reset the password.

The flaw is actually a feature that can be easily abused to hack your friend’s Facebook account by going through the password reset process. To hack your friend’s Facebook account, you would only need the help of 2 common friends, since you can select yourself as the third person.

Note: If you haven’t set your security question yet, then please do not bother to set any because it’s useless. The most important thing you have to do now is “register your mobile” on Facebook if you haven’t yet. If you have already chosen your security question, then please read this post carefully to learn how you can protect yourself from this attack.

Also See: How to Hack Facebook Password

How to Bypass Security Question on Facebook?

Everyone knows that most websites prompt their users to select a security question so that, in case you forget your password, you can easily reset it. However, when it comes to Facebook, things can get worse if you have set your security question.

Recently, I was just playing with Facebook’s password reset process and just found out that there is a secret way to bypass Facebook’s security question and get straight to the password reset process.

Here’s how:

Go to Facebook’s forgot password page and enter your friend’s email or full name to search his/her linked account.

Facebook will now search for an appropriate account that is associated with the information you provided. Select your account and click “This is my account.”.

Next, Facebook will present to you the available options to recover your account.

facebook hacking

Now click “No longer have access to these?” and Facebook will now ask for a new email address so that it can send you messages regarding recovering the account password.

Enter the email address and click submit and as expected, there is also another layer of security called “Security Question.”.

Now here comes the critical vulnerability. Interestingly, if you type in the wrong answers three times in a row, you can just bypass this layer of security and you will see another interesting way to reset your account password with the help of 3 friends.

facebook friend hacking

As you can see above, there are three steps involved in the recovery process. First, you will have to select 3 trusted friends for the help (if you are trying to hack your friend’s password, then you may select yourself and 2 more friends).

Please select trusted friends only because any of the friends can potentially gain access to your friend’s Facebook account through the standard password recovery process.

Once you select 3 trusted friends of yours, Facebook will then email secret security codes to each of your selected friends. Now your job is to call your friends and get the 3 security codes.

Once you collect the 3 security codes, enter them one by one in step 3. Finally, Facebook will then allow you to reset your password through the standard email recovery process.

Important: Note that the victim’s account will be locked for 24 hours after this password change and the user’s old email address will receive a notification of the password change including the names of the 3 friends who were involved in this password change. Yes, you guessed it right. You could also create 3 fake profiles and add them to your victim’s friends list first, then carry out this hacking process.

How Do I Protect Myself From this Attack?

As you can see, we easily bypassed Facebook’s security question. There is no use in setting any security question. If you haven’t selected any security questions on Facebook, just sit back and hang loose; don’t bother to set any. Just register your mobile on Facebook.

Its important that you register your mobile on Facebook.

Unfortunately, it is not possible to update or remove your account’s security question once you have added one. So, guys, if you have already added a security question to your account settings, you are at risk. So to avoid this attack,  you will need to update your ‘Account Security’ in Account Settings.

  1. Go to Account Settings and click ‘Account Security’. You will see the below options:
Facebook's Security Question vulnerability
  1. Check all three options. When you check the third option called “Login Approvals”, Facebook will then add another level of security to your account. ‘Login approvals’ is a security feature that requires you to enter a code that Facebook will text to your phone when you log in from an unrecognized computer
  2. Never befriend or accept friend requests from people you don’t know.
  3. If, by chance, anybody resets your password through this attack,  your email address will receive a notification of the password change, including the names of the 3 friends who were involved in the password change. You will then have only 24 hours to act on it, So always Check your email every day.
  4. If you’re planning to go on vacation, never update your status saying, “I will be offline for some days” or something similar. Your vacation is enough for a hacker to compromise your account.

Do share this post with your friends and make them aware of this vulnerability!

Related Posts:

  1. Funny Facebook Hacking Statuses
  2. Facebook Profile Picture Viewer
  3. How to Find Out Who Made a Fake Facebook Account
  4. Getting IP Address from Facebook Messenger App
  5. How to Tell If a Facebook Profile Is Fake
  6. How to Track Location of Facebook User
  7. How to Track Someone on Facebook Messenger
  8. The Truth about Facebook Hack Tool
  9. Facebook Phishing Email Examples

Ashwin S

A cybersecurity enthusiast at heart with a passion for all things tech. Yet his creativity extends beyond the world of cybersecurity. With an innate love for design, he's always on the lookout for unique design concepts.