Vuln Type: Account Takeover
Product Area: Facebook - Web
This vulnerability report describes how an attacker could obtain access to (pressumably) any Facebook account by resetting the password through recovery email which was re-registered after previously automatically-deactivated (because of inactivity) by an external freemail provider, like old Yahoo, Gmail, Hotmail accounts.
I have tested this vulnerability on my sister's and bestfriend's facebook account, (of course with permission). The email provider on which this vulnerability was tested from is Yahoo!, other freemail providers may differ on their policy but nevertheless the process is the same.
This exploit will allow me to reset the passwords of the affected Facebook accounts.
My approach in solving this problem if I am a facebook programmer would be the following:
If an email notification from facebook hard-bounces, then facebook should at least inform the user about this email issue and prompt for a new email
remove the email from being linked to the facebook account.
A standard Facebook account whose email address was previously active but was now deactivated without his/her knowledge due to the deactivation policy of some freemail providers.
This is similar to this article: https://lifehacker.com/5325867/never-use-hotmail-inactive-webmail-as-your-secondary-email-account
1. Create an email account in Outlook/Hotmail/Yahoo!/GMail or any freemail provider.
2. Link the newly created email address as a recovery email to a new Facebook account.
3. Here comes the tricky part, WAIT FOR AT LEAST A YEAR FOR THE FREEMAIL PROVIDER'S DEACTIVATION POLICY TO TAKE EFFECT (make the email account dormant for 1 year)
4. Now that the email account has been deactivated, the attacker, can now re-register the very same email address from Step 1.
(In this part, it might get tricky for the attacker because, Facebook already has its method of preventing anyone from seeing the full email address of the victim like firstname.lastname@example.org. But a few commonsense and guessing on the attacker's side would be not that difficult.)
5. Return back to Facebook and reset the password of the victim's Facebook account via recovery email.
6. Check the email for the Facebook password reset code.
7. Set the new password and the hacker's got the victim's Facebook account.
Disclaimer: I have reported this to facebook's bug bounty program and they seem to have partially fixed the problem by hiding the domain of the email in Repro Steps #4. But the issue is still apparent, it's just a matter of email address guessing or just simply asking the account owner of the email used in facebook then hi-jack the facebook account as described hereon.