Researcher finds way to commandeer any Facebook account from his mobile phone

Share this article:
Researcher finds way to commandeer any Facebook account from his mobile phone
Researcher finds way to commandeer any Facebook account from his mobile phone

A security researcher revealed Wednesday that he discovered an easy-to-exploit Facebook vulnerability that could have enabled users to overtake anybody's Facebook page thanks to the social networking service's "Mobile Texts" feature.

The U.K.-based researcher, who goes by the handle"fin1te," said Facebook has since patched the flaw, which he reported to the company on May 23. For his disclosure, he was awarded $20,000 through Facebook's Bug Bounty Program.

To exploit the vulnerability, fin1te first texted the letter "F" to "32665," Facebook's SMS shortcode in the U.K. and the United States, with the goal of activating mobile texts for his account, which allows users to receive and respond to Facebook notifications from their phone. He next received a confirmation code to his mobile phone, which he entered into a Facebook web form under "Mobile Settings" as part of the setup process.

Then, he modified the form's source code to input a different user's profile ID, a numeric string that easily can be found on the web for any Facebook member. Next, he submitted the form, which sent a confirmation text to his phone saying that he had successfully installed the Mobile Texts capability.

Fin1te was now able reset the target user's account password because there is an option to be texted a code to do this, which was sent to his phone despite the fact that he was acting as a different user (the one whose profile ID Facebook had accepted).

"We enter this code into the [password reset] form, choose a new password, and we're done," Fin1te wrote. "The account is ours."

Five days after being alerted of the vulnerability, Facebook patched the issue by "no longer accepting the profile_id parameter from the user."

This isn't the first time researchers have taken advantage of a social networking provider's SMS functionality. 

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.