Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Mobile

    Facebook Patches Mobile Text Vulnerability, Rewards Flaw Discoverer

    By
    Brian Prince
    -
    June 30, 2013
    Share
    Facebook
    Twitter
    Linkedin

      Facebook has fixed a vulnerability that a U.K. security researcher discovered could have been used to hijack user accounts via Facebook’s Mobile Texts feature.

      The researcher, who goes by the nickname ‘fin1te,’ was rewarded with $20,000 via Facebook’s bug bounty program for finding the flaw and reporting it to social network last month.

      “Facebook gives you the option of linking your mobile number with your account,” the researcher blogged. “This allows you to receive updates via SMS [Short Message Service], and also means you can log in using the number rather than your email address.”

      According to security researcher Graham Cluley, fin1te discovered that one of the elements of the mobile activation form contained, as a parameter, users’ profile IDs—the unique numbers associated with their accounts.

      “Change the profile ID that is sent by that form to Facebook, and the social network might be duped into thinking you are someone else linking a mobile phone to their account,” Cluley blogged. “Therefore, the first step needed to hijack someone’s account in this way requires your victim’s unique Facebook profile ID.”

      “If you don’t know what someone’s numeric profile ID is, you can always look it up using freely available tools—they aren’t supposed to be a secret,” he added.

      According to fin1te, the flaw specifically resided in the /ajax/settings/mobile/confirm_phone.php end-point.

      “This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to,” fin1te explained. “The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error.”

      To exploit the vulnerability, an attacker needed only send the letter F to 32665, which is Facebook’s SMS short code in the U.K., which is normally done to enable users to receive Facebook notifications on their mobile phones. In return, the attacker would receive an eight-character verification code, which they could enter into the Facebook form. After modifying the form’s source code and entering a different profile ID, the verification code could have given an attacker access to another account.

      Once inside, the researcher was able to reset other users’ passwords and hijack their accounts by tying the accounts to their mobile phone numbers.

      “Now we can initiate a password reset request against the user and get the code via SMS,” fin1te blogged. “Another SMS is received with the reset code. We enter this code into the [password reset] form, choose a new password, and we’re done. The account is ours.”

      Fin1te reported the flaw May 23. Facebook responded by patching the issue five days later and ultimately issuing the reward.

      “We appreciate the security researcher’s effort to report this issue to our White Hat Program,” a Facebook spokesperson said in a statement. “We worked with the researcher to evaluate the scope of the issue and fix this bug quickly. We have no evidence that it was exploited maliciously. We have provided a bounty to the researcher to thank him for his contribution to Facebook security.”

      Avatar
      Brian Prince

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×