A UK-based security researcher going by the name of “fin1te” has
earned himself $20,000 after uncovering a way to hack into any account
on Facebook, just by sending a mobile phone text message.
This should – obviously – have been impossible, but due to a weakness
in Facebook’s tangled nest of millions and millions of lines in code,
potentially hundreds of millions of accounts were vulnerable to
hijacking through the simple technique.
The first thing to do is send the letter “F” in an SMS message to
Facebook, as though you were legitimately registering your mobile phone
with the social network. In the UK, the SMS shortcode for Facebook is
32665.
Facebook responds, via SMS, with an eight character confirmation code.
The normal sequence of events would be to enter that confirmation code into a Facebook form, and go on your merry way…
But fin1te discovered that a vulnerability existed on that form, that
could be exploited to use the confirmation code he had been sent by
Facebook via SMS with *anyone* else’s account.
What fin1te had uncovered was that one of the elements of the mobile
activation form contained, as a parameter, the user’s profile ID.
That’s the unique number associated with your intended target’s account.
Change the profile ID that is sent by that form to Facebook, and the
social network might be duped into thinking you are someone else linking
a mobile phone to their account.
Therefore, the first step needed to hijack someone’s account in this way requires your victim’s unique Facebook profile ID.
If you don’t know what someone’s numeric profile ID is, you can always look it up using
freely-available tools – they aren’t supposed to be a secret.
Sure enough, fin1te was able to replace the profile ID parameter sent
by his browser to Facebook with the unique number of the account he
wanted to access…
.. and within seconds his his mobile phone was sent an SMS confirming
that he had successfully connected the device to the account.
Success. A Facebook account now has a third-party’s mobile phone
number associated with it. Without any need for malware or phishing.
All that was done was to send an SMS text message.
The final stage of the account hijacking is straightforward.
Facebook allows you to log into its system using your mobile number
rather than an email address if you want, so at login you enter the
mobile phone number you have associated with your victim’s account, and
request a password reset via SMS.
Sure enough, fin1te discovered that Facebook duly sent him the
password reset code for the account – meaning he could change the
account’s password, and lock out its legitimate user.
This is an incredibly simple but powerful way to take over anybody’s Facebook account.
The good news is that fin1te disclosed the vulnerability responsibly
to Facebook, rather than exploited it for malicious intentions or sold
it to other parties. Facebook has fixed the problem so others can no
longer take advantage of this serious security hole. For his troubles,
Facebook awarded fin1te a hefty $20,000 worth of bug bounty and fixed
the vulnerability.
But there’s no doubt that on the underground market, perhaps sold to
cybercriminals or intelligence agencies, fin1te’s discovery could have
earned him even more money.
Who knows what other serious security vulnerabilities may lay inside
Facebook that haven’t been responsibly reported to the company’s
security team?