Until recently, Facebook had a glitch that would have allowed hackers to reset a target user's password just by having the victim visit a website link.
Security researcher Dan Melamed said the vulnerability lies in Facebook's "claim email address" component but has since been patched up.
"The hacker can ... reset the victim's password using the newly added email address, thus allowing the attacker to take complete control over the Facebook account. This vulnerability has been confirmed to be patched by the Facebook Security Team," Melamed said in a blog post.
He said that when a user tries to add an email address that already exists in the Facebook system, they have the option to "claim it."
In claiming an email address, Facebook did not check who the request came from.
Attackers can exploit the flaw using two Facebook accounts, one of which has the email address the attacker wants to claim, and another to initiate the claim process.
Melamed said a hacker can insert a link on a webpage as either an image or an iframe.
Once clicked, the email is added to the attacker's Facebook account, with the victim unaware of what happened.
Another security researcher, Graham Cluley, added a successful attack could let a hacker read private messages, post updates and private messages in the victim’s name.
But Cluley said the good thing was that Melamed acted responsibly, and disclosed details of the security hole to Facebook.
This allowed Facebook’s security team to respond and fix the flaw.
"Melamed was awarded $1500 by Facebook’s bug bounty initiative for responsibly disclosing the vulnerability to the social network," Cluley noted. — TJD, GMA News