Contact Point Deanonymization Vulnerability in Meta

  1. Attacker can easily OSINT the victim email address like mobile number to email address
  2. The password reset endpoint doesn’t require any active sessions so attacker can easily automate this work flow and scrap the data’s in Bulk by just rotating the random mobile numbers using IP rotation
  1. Only masked Email address is returned in password reset page on all Facebook and Workplace domains
  2. Only work account OTP are validated on work.facebook.com

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store