The critical vulnerability in Facebook’s password reset process involved a rate-limiting issue in a specific endpoint, which could be exploited to brute-force a nonce and gain access to a user’s account.
Source: cyware.com