Home / Vulnerability / Hacking account using SMS found in Facebook

Hacking account using SMS found in Facebook

The Facebook security team has recently fixed an exploit via SMS that can successfully own an account.

There is no need of specialize software in the hack, or any user interaction. Just a text message, simple as that.

So, you must be curious now how did it happen. Read further and we will explain how did a security researcher, fin1te,  based in United Kingdom found the flaw.

According to him, there was a flawy code resting in “/ajax/settings/mobile/confirm_phone.php.” What basically the page does is linking a phone number to a Facebook profile.

Fin1te later found out that changing the “profile_id” parameter (stores the account the phone number linked to) will not trigger an error.

Here is how exactly the expert completed the hack:

  •  First send the letter F to 32665(depends), which is Facebook’s SMS shortcode in the UK. We receive an 8 character verification code back.
  • Enter this code into the activation box (located here), and modify the profile_id element inside thefbMobileConfirmationForm form.
  • Submitting the request returns a 200. “You can see the value of __user (which is sent with all AJAX requests) is different from the profile_id we modified,” as he explains.
    The expert notes, “You may have to reauth after submitting the request, but the password required is yours, not the targets.” A confirmation message will then be received.
  • Whats next is to initiate a password request against the user.
  • You will then receive a password reset link, and the account is yours.

Facebook immediately fixed the bug by no longer accepting the profile_id parameter from the user.

The happy security researcher will then receive $20,000 for finding the flaw.

You can read the full details, here.

About Clifford Trigo

I am Clifford Trigo a proud Boholano / Pinoy / Filipino Web App Security Researcher. Day by day, I'm learning new things :)) Visit my Hackerone Profile, currently at top 2 overall :D