0

As we all know there was a recent vulnerability on Facebook that was exploited by an Indian developer as stated here.

Brute force in 2016 is very weird, Facebook applies rate limiting while entering the code for phone , Why they are not using CAPTCHAS ?

Isn't the problem be avoided by adding captcha ?

Thanks

Johnny
  • 1,743
  • 2
  • 10
  • 12
  • I'd say this probably doesn't even need captcha. If you're sending a recovery code to an email or cell phone, there's no reason there should be more than 5 incorrect entries supplied for something. I'd just limit the number of incorrect attempts to a very low amount and invalidate the reset code after a period of 24 hours or it's been incorrectly guessed a few times. – drew010 Apr 20 '16 at 04:08
  • @drew10 I am really as how the developer forgot to do this on their QA environment. – Johnny Apr 20 '16 at 05:16
  • 1
    I couldn't hear any audio in the video, but noticed they were using a "beta" domain to perform the exploit. Perhaps this was something left open to the public that was overlooked or forgotten. I've found plenty of dev/staging systems open to the public that output a lot more sensitive debug information when given erroneous input, but yes, this is definitely a huge embarrassment to them and could have caused immense damage if it was first discovered by criminals or more malicious users. $15k is a good bounty for it, but something of that magnitude could have cost millions or more if abused. – drew010 Apr 20 '16 at 05:20
  • @drew010 very well said – Johnny Apr 20 '16 at 05:24

1 Answers1

1

CAPTCHAs are also not perfect. There are OCR algorithms to programmatically solve them, there are also systems which outsource the problem, i.e., dodgy download sites can give you a popup to solve a CAPTCHA, but their real goal is not to find out whether you are a human or not, but to solve that particular CAPTCHA. I think there are even factories at places where the human labor is very cheap where people solve CAPTCHAs 10 hours a day as their normal jobs.

gerion
  • 146
  • 4
  • I agree about the OCR algos but still one can implement Google captcha that involves clicking. I was thinking that facebook still didnt added captcha to this forgot password thing, why is that – Johnny Apr 18 '16 at 06:17
  • 1
    That is a very good question :). Maybe they don't use CAPTCHA because it is not user friendly. I think proper rate limit, which adds delay to the response, so that it is unresponsive after around 10 request should be fine without CAPTCHA. They could have also invalidated the code after 5 tries and send a new one. – gerion Apr 19 '16 at 09:03