 |
Can you ever imagine that a single text message is enough to
hack any Facebook account without user
interaction or without using any other malicious stuff like phishing, keylogger, Trojans etc.?
interaction or without using any other malicious stuff like phishing, keylogger, Trojans etc.?
Today we are going to explain you that how a UK based Security
Research, “Fin1te” is able to hack
any Facebook account within a minute by doing one SMS.
Because 90% of us are Facebook user too, so we know that
there is an option of linking your mobile number with your account, which
allows you to receive Facebook account updates via SMS directly to your mobile
and also you can log into your account using that linked number rather than
your Email address or username.
According to the hacker, the loophole was in mobile number
linking process, or in technical terms, at file/ajax/settings/mobile/confirm_phone.php
This particular webpage works in background when user
submits his phone number and verification code, sent by Facebook to mobile.
That submission form having two main parameters, one for verification code and
second profile_id, which is the account to link the number to.
As attacker, follow
these steps to execute hack:
1.
Change value of profile_id to the
victim’s profile_id value by tampering the parameters.
2.
Send the letter F to 32665, which is Facebook’s SMS short code in the UK. You will
receive an * character verification code back.
3.
Enter that code in the box or as Confirmation_code
parameter value and submit the form.
Facebook will accept that confirmation code and attacker’s
mobile number will be linked ti victim’s Facebook profile.
In next step hacker just need to go to Forget Password
option and initiate the password reset request against of victim’s account.
Attacker can now get password recovery code to his mobile
number which is linked to victim’s account using above steps. Enter the code
and Reset the Password!
Facebook no longer accept the profile_id parameter from
the user end after receiving the bug report from the hacker.
In return, Facebook pays $20,000 to fin1te as Bug Bounty.
No comments:
Post a Comment