A Recent Vulnerability That Cracked Facebook Accounts With Just One SMS

🇷🇴

Can you imagine that a single message was enough to compromise any Facebook account, without any interaction from the user and without malicious software such as Trojans, phishing, or keyloggers?

Here we explain how a UK-based security researcher known as “fin1te” managed to compromise any Facebook account in under a minute by sending just one message.

Context: Linking Your Phone Number to Facebook

Most of us use Facebook, and many people choose to link their phone number to their account. This allows both notifications on the phone and login using the number instead of an email address or username.

Where Was the Vulnerability?

According to the researcher, the flaw was in the process of linking a phone number to an account — technically, in the endpoint /ajax/settings/mobile/confirm_phone.php.

This page runs in the background when the user enters their phone number and the verification code sent by Facebook to their phone. Submitting the form relied on two main parameters: one for the verification code and the other for the profile ID tied to the account and phone number.

Mobile confirmation form – hidden profile_id input in the HTML

Steps an Attacker Could Take (This Method No Longer Works)

  1. Change the profile ID parameter (profile_id) to the victim’s ID.

  2. Send the letter “F” to 32665 (the Facebook shortcode for SMS in the UK) and receive an 8-digit verification code.

    POST request to confirm_phone.php showing profile_id and confirmation_code parameters

  3. Submit the form with that code (or by manipulating the confirmation_code parameter) and send the request.

    Sending “F” to 32665 and the Facebook confirmation code received on iPhone

Facebook would accept that code and the attacker’s phone number would be linked to the victim’s profile. The attacker could then go to “forgot password”, choose recovery by phone number, enter the code they received (the “F” flow), and reset the victim’s password, gaining access to the account.

With this information, anyone with minimal web knowledge could have exploited accounts in this way.

Fix and Reward

After the researcher reported the bug, Facebook stopped accepting the profile_id parameter from users — the vulnerability was closed.

As a reward under its bug bounty program, Facebook paid fin1te $20,000.

Source: The Hacker News