There is no need of specialize software in the hack, or any user interaction. Just a text message, simple as that.
So, you must be curious now how did it happen. Read further and we will explain how did a security researcher, fin1te, based in United Kingdom found the flaw.
According to him, there was a flawy code resting in “/ajax/settings/mobile/confirm_phone.php.” What basically the page does is linking a phone number to a Facebook profile.
Fin1te later found out that changing the “profile_id” parameter (stores the account the phone number linked to) will not trigger an error.
Here is how exactly the expert completed the hack:
- First send the letter F to 32665(depends), which is Facebook’s SMS shortcode in the UK. We receive an 8 character verification code back.
- Enter this code into the activation box (located here), and modify the profile_id element inside thefbMobileConfirmationForm form.
- Submitting the request returns a 200. “You can see the value of __user (which is sent with all AJAX requests) is different from the profile_id we modified,” as he explains.
The expert notes, “You may have to reauth after submitting the request, but the password required is yours, not the targets.” A confirmation message will then be received.
- Whats next is to initiate a password request against the user.
- You will then receive a password reset link, and the account is yours.
Facebook immediately fixed the bug by no longer accepting the
profile_id parameter from the user.
The happy security researcher will then receive $20,000 for finding the flaw.
You can read the full details, here.