An independent vulnerability researcher, Sow Ching Shiong, found a way to change the password of any facebook username without knowing his last password. Facebook have fixed this very critical vulnerability. This flaw allow an attacker to change any facebook user’s password easily.
Facebook have a recovery page for compromised accounts “https://www.facebook.com/hacked”. when clicked, it redirected to another page
“https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked”
the parameter f equals to the user id, if any user id is given, password can be changed without any proper authentication.
The vulnerability was very simple to execute. This vulnerability has been confirmed and patched by Facebook Security Team.