Security blogger Anand Prakash says he's figured out how to hack into any Facebook account using the password reset function. The stunt allowed him entry into a Facebook account with full access to messages, content and any stored credit card information.
Typically, when a person forgets their password, Facebook asks them to enter the email address, phone number or name associated with the account. Then it sends a six-digit pin as a way of verifying a users identify before allowing them to reset their password. Prakash first tried to brute force the pin via Facebook.com, but the website shut him out after 10-12 attempts. So he tried the same attack through Facebook's beta site, beta.facebook.com, as well as its ad-free site, mbasic.beta.facebook.com.
He found that there was not a limiter on those sites, which allowed him to gain access to his own account by using a program to repeatedly enter combinations of six-digit pins. When the software arrived at the right combination, Prakash was able to change the password and log in using the new credentials.
He has since alerted Facebook to the vulnerability and was awarded $15,000 for the exploit discovery. You can watch him take over his own Facebook account in the video below.