Prakash stated on his blog that “Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address, after that Facebook sends 6 Digit Code to the users phone number or email address which helps the user to set a new password for his account. He further said that he tired to brute the 6 Digit Code on Facebook and was blocked after 10-12 consecutive invalid attempts. After he was blocked from getting 6 digit code, he then headed to Facebook’s Beta pages, beta.facebook.com and mbasic.beta.facebook.com, he discovered that rate limit was missing from forgot password section in these two beta websites. He realized that there was no limitation, so it could have allowed him to brute force into any Facebook Account.

Vulnerable request: