Can you ever imagine that a single text message is enough to hack any Facebook
account without user interaction or without using any other malicious stuff like
Trojans, phishing, keylogger
etc. ?
Today we are going to explain you that how a UK
based Security Researcher, "fin1te" is able to hack any Facebook
account within a minute by doing one SMS.
Because 90% of us are Facebook user too, so we
know that there is an option of linking your mobile number with your account,
which allows you to receive Facebook account updates via SMS directly to your
mobile and also you can login into your account using that linked number rather
than your email address or username.
According to hacker, the loophole was in phone number linking
process, or in technical terms, at
file /ajax/settings/mobile/confirm_phone.php
This particular webpage works in background
when user submit his phone number and verification code, sent by Facebook to
mobile. That submission form having two main parameters, one for
verification code, and second is profile_id, which
is the account to link the number to.
As attacker, follow these steps to execute
hack:
- Change value of profile_id to the Victim's profile_id value by tampering the parameters.
- Send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. You will receive an 8 character verification code back
3.Enter that code in the box or as confirmation_code parameter
value and Submit the form.
Facebook will
accept that confirmation code and attacker's mobile number will be linked to
victim's Facebook profile.
In next step hacker just need to go to Forgot password option and initiate
the password reset request against of victim's account.
Attacker now can get password recovery code to his own mobile number which
is linked to victim's account using above steps. Enter the code and Reset the
password!
Facebook no longer accepting the profile_id parameter from the user end
after receiving the bug report from the hacker.
In return, Facebook paying $20,000 to fin1te as Bug Bounty.
Post a Comment