British information security researcher Jack Whitton, a.k.a. Fin1te, who discovered the bug, revealed this week that he'd reported the problem to Facebook on May 23. Just five days later, Facebook both acknowledged his bug report and told him the issue had been fixed. Wednesday, Facebook's bug bounty program -- which rewards researchers who privately disclose vulnerabilities to Facebook and wait to detail them publicly until after Facebook fixes the problem -- thanked Whitton "for making Facebook more secure with this great bug."
Whitton's attack exploited a security vulnerability related to linking a mobile phone number to a Facebook account. "This allows you to receive updates via SMS, and also means you can login using the number rather than your email address," he said in a blog post.
[ This Facebook threat is still afoot. Read Zeus Bank Malware Surges On Facebook. ]
Thanks to a flaw in how Facebook's PHP page handled SMS confirmations, however, Whitton identified a two-step attack technique that allowed him to associate an arbitrary mobile phone with anyone's Facebook account, then to initiate a password-reset process that allowed him to choose a new password for a targeted account, thus giving him complete access. The owner of the targeted account, meanwhile, would have had no indication that the hack was underway until she was no longer able to access her account.
Whitton's exploit took advantage of Facebook's mechanism for activating and using mobile texts with the social network. In the United States, one related set-up process involves sending a text message that contains only "fb" to 32654 (FBOOK) -- that text number varies for some other countries. After a slight delay, Facebook sends an SMS back to the mobile phone with an eight-character code that needs to be entered on a user's Mobile Settings page on Facebook's site before the link with the mobile phone can be activated.
Whitton's attack involved modifying the code used by the Mobile Settings form before it was submitted back to Facebook. In particular, he found that he could change the "profile_id" element -- which refers to the public ID number assigned to every Facebook account -- to any Facebook user's account ID. After submitting the form, Facebook would tie the mobile phone number used to that Facebook ID.
Next, an attacker could use Facebook's password-reset feature to request that a password-reset confirmation code be sent via SMS to the mobile phone that had just been authorized for the account. This code can then be entered into the password-reset screen on Facebook, and the password for a user's account changed to a password of the attacker's choosing. At that point, the attacker would have gained control of the targeted account.
"The bounty assigned to this bug was $20,000, clearly demonstrating the severity of the issue," Whitton said. Facebook's corresponding fix, meanwhile, was simple: "Facebook responded by no longer accepting the profile_id parameter from the user," he said.
As the bounty paid to Whitton suggests, disclosing software vulnerabilities can fetch big bucks. Microsoft earlier this month even dangled a maximum $100,000 bounty for "truly novel exploitation techniques."
While that's a substantial amount of money, the reality is that on the open market -- cybercrime underground -- such vulnerabilities might fetch far more. "I reckon that bug was worth more than $20k but that's still a nice chunk of cash for one vuln!" tweeted a Dublin-based information security researcher who goes by the name Security Ninja, referring to Whitton's Facebook bug bounty.
On the other hand, going the coordinated-disclosure route -- warning Facebook about the bug, rather than hawking it to bug buyers -- means getting to publicly reveal your role in helping responsibly patch a bug. That can be a good career move for someone like Whitton, who's an application security engineer by day, and a freelance information security researcher by night, who earns his living by testing Web applications and reviewing source code for bugs.