Disabling any unverified accounts - Facebook Bug23 Oct 2014
When a new Facebook account is created a verification code is sent to the email of the user to confirm their identity. Email contains an option to disavow the confirmation link in case the email was misused or used by someone else to create an account.
The link behind
had a confirmation code in it, which was a 5 digit code :
c could be brute-forced by an attacker to find the right confirmation code and disable anyone’s unverified Facebook account.
Facebook fixed this after it was reported to the security team.
Hope you enjoyed reading it!