A UK-based security researcher going by the name of Jack Whitton a.k.a "fin1te" has earned $20.000 after successfully dismantle a security loophole on facebook with high vulnerable and can showing or stealing another account just by using your mobile phone using Facebook SMS.
How its Interesting?
Money worth $ 20,000 was given up because the gap is considered extremely dangerous for the discovery of this "social networking empire". After the simulation, we can take over (stealing) someone account in less than 60 seconds.
If we calculate the time of the action in just 60 seconds certainly will not make sense. Maybe at first we thought Facebook SMS only used to update the status via SMS. But you know what? in fact, we already have information stored data ie email and our personal number (which is used to log into facebook). It will be the big thing, millions of lines of code in the SMS Facebook has a security hole that is worth $ 20,000.
What is revealed by fin1te?
as documented by Jack Whitton on his blog titled " Hijacking A FACEBOOK ACCOUNT WITH SMS ", there is a weakness code on end-point /ajax/settings/mobile/confirm_phone.php. Actually it requires a lot of parameters in order to function optimally, but the main thing to note is that the weakness <code> where we receive verification code via mobile phones and also profile_id which also connected to our numbers.Experiments conducted is by changing profile_id parameter with other people profile_id (eg your target) and after not giving any error, it's mean this method is allowed. Here is the golden door used fin1te for pocketing money of $ 20,000.
Let's do it!!!
Enter the code on the activation form ( click here ), and the Code View, fox profile_id element that resides in fbMobileConfirmationForm .
Changing the value on elements profil_id through Inspect Element feature contained in the browser (Chrome & Mozilla) by right click.
If you have difficulty to find the profile ID, you can use the tools http://findmyfacebookid.com and you just simply enter the profile URL.
And in a few seconds, facebook will send you the information that we have confirmed to use Facebook Mobile.
Facebook account targets have been fully prepared mastered without using hacking techniques are difficult as Malware or Phishing. Account theft is simply done by using SMS.
Final step is to execute the target account by sending the Reset Password feature is also available on Facebook Mobile (of course, we've logged into the Facebook mobile using the above). And just in seconds, facebook will give a "sharp knife" to rip off the target account.
It's super easy steps right? The discovery of how this very simple but deadly security system threatens facebook, so fin1te should be able to get more than the $ 20,000 for his services.
Warning of fin1te been fixed by now facebook, and facebook has no longer receive profile_id parameter from the user.
And I took from the record fin1te Timeline of the blog, here's a date documentation does:
- 23rd May 2013 - Reported
- 28th May 2013 - Acknowledgment of Report
- 28th May 2013 - Issue Fixed