SMS Account Hijack Exploit Fixed by Facebook

A vulnerability existed in Facebook that an attacker could have exploited via standard messaging service in order to take complete control of any mobile-linked account on the world’s largest social network.

A vulnerability existed in Facebook that an attacker could have exploited via SMS in order to take complete control of any mobile-linked account on the world’s largest social network.

A United Kingdom-based researcher operating under the handle ‘fin1te’ reported the bug to Facebook on May 23. Facebook quickly acknowledged its existence and provided a fix just five days later on May 28.

Exploiting the vulnerability, the researcher says, requires no user interaction and arises from a feature through which users could receive notifications, post updates, and sign into the network based on a mobile number rather than an email address via SMS. In order to access Facebook on a mobile device in the U.K., you text message ‘F’ to 32665. In return the user would receive an eight-letter code.

The flaw apparently existed in the mechanism that makes mobile verification work, which fin1te claims is the “the ‘/ajax/settings/mobile/confirm_phone.php’ end-point.” This establishes the verification code you will receive and links it with the profile_id, which corresponds with a specific Facebook account. If you text Facebook, then you would receive a verification code linked with your personal profile_id.

The researcher found that he could swap out his profile_id for anyone else’s without triggering an error message. All he had to do was access the Facebook settings page, enter the confirmation code into the appropriate box, and modify the profile_id element inside the “fbMobileConfirmation” Form. From there, he submitted the confirmation request, which displays the profile_id he chose, rather than the one that belongs to him.

He notes that sometimes he had to send a second re-authorization request, but eventually he would receive a text notification informing him that he was confirmed. Once that happened, he went to login to Facebook using his mobile number and his own password and Facebook routed him to a password reset initiation page on which he could choose to receive the password reset link via SMS (pictured in the image above).

After that he received another SMS message with a link, which allowed him to change the password of and access the account affiliated with the profile_id belonging to an account that was not his.

Facebook resolved the bug simply by no longer accepting the profile_id parameters from the user.

Facebook confirmed fin1te’s research in an email and issued the following statement:

“We appreciate the security researcher’s effort to report this issue to our White Hat Program,” Facebook said. “We worked with the researcher to evaluate the scope of the issue and fix this bug quickly. We have no evidence that it was exploited maliciously. We have provided a bounty to the researcher to thank him for his contribution to Facebook security.”

Suggested articles