Facebook Patches Mobile Text Vulnerability, Rewards Flaw Discoverer

Facebook paid a U.K. researcher a $20,000 award for finding a bug that could enable account hijacking before it was patched in late May.

Facebook has fixed a vulnerability that a U.K. security researcher discovered could have been used to hijack user accounts via Facebook's Mobile Texts feature.

The researcher, who goes by the nickname 'fin1te,' was rewarded with $20,000 via Facebook's bug bounty program for finding the flaw and reporting it to social network last month.

"Facebook gives you the option of linking your mobile number with your account," the researcher blogged. "This allows you to receive updates via SMS [Short Message Service], and also means you can log in using the number rather than your email address."

According to security researcher Graham Cluley, fin1te discovered that one of the elements of the mobile activation form contained, as a parameter, users' profile IDs—the unique numbers associated with their accounts.

"Change the profile ID that is sent by that form to Facebook, and the social network might be duped into thinking you are someone else linking a mobile phone to their account," Cluley blogged. "Therefore, the first step needed to hijack someone’s account in this way requires your victim’s unique Facebook profile ID."

"If you don’t know what someone’s numeric profile ID is, you can always look it up using freely available tools—they aren’t supposed to be a secret," he added.

According to fin1te, the flaw specifically resided in the /ajax/settings/mobile/confirm_phone.php end-point.

"This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to," fin1te explained. "The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error."

To exploit the vulnerability, an attacker needed only send the letter F to 32665, which is Facebook's SMS short code in the U.K., which is normally done to enable users to receive Facebook notifications on their mobile phones. In return, the attacker would receive an eight-character verification code, which they could enter into the Facebook form. After modifying the form's source code and entering a different profile ID, the verification code could have given an attacker access to another account.

Once inside, the researcher was able to reset other users' passwords and hijack their accounts by tying the accounts to their mobile phone numbers.

"Now we can initiate a password reset request against the user and get the code via SMS," fin1te blogged. "Another SMS is received with the reset code. We enter this code into the [password reset] form, choose a new password, and we're done. The account is ours."

Fin1te reported the flaw May 23. Facebook responded by patching the issue five days later and ultimately issuing the reward.

"We appreciate the security researcher’s effort to report this issue to our White Hat Program," a Facebook spokesperson said in a statement. "We worked with the researcher to evaluate the scope of the issue and fix this bug quickly. We have no evidence that it was exploited maliciously. We have provided a bounty to the researcher to thank him for his contribution to Facebook security."