An Independent Security Researcher, Sow Ching Shiong, has discovered a serious Password reset vulnerability in Facebook that allowed hackers to change the passwords of facebook accounts.
Normally, User is required to enter his current password before they can set the new one to prevent an unauthorized person from changing the password without the user's knowledge.
However, the Researcher identified that a hacker could change user's password without known the user's current password by accessing the url "https://www.facebook.com/hacked", which automatically redirected to the compromised account recovery page.
In this page, an attacker was simply prompted to enter the new password and confirm it, without having to know any other information.
Facebook Security Team fixed the vulnerability after being notified by the Security researcher and Sow Ching Shiong has been added to Facebook's white hats list ( https://www.facebook.com/whitehat )
