How To Hack Facebook In 60 Seconds - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


How To Hack Facebook In 60 Seconds

Facebook rewards U.K. researcher with $20,000 for discovering a mobile device confirmation bug that could be used to take control of any Facebook account.

 Facebook's Futuristic Data Center: Inside Tour
Facebook's Futuristic Data Center: Inside Tour
(click image for larger view and for slideshow)
Facebook has patched a flaw that could be exploited to hack into any user's account, using SMS messages, in less than 60 seconds. It also provided the information security researcher who discovered the previously undisclosed bug with a $20,000 "bug bounty" reward.

British information security researcher Jack Whitton, a.k.a. Fin1te, who discovered the bug, revealed this week that he'd reported the problem to Facebook on May 23. Just five days later, Facebook both acknowledged his bug report and told him the issue had been fixed. Wednesday, Facebook's bug bounty program -- which rewards researchers who privately disclose vulnerabilities to Facebook and wait to detail them publicly until after Facebook fixes the problem -- thanked Whitton "for making Facebook more secure with this great bug."

Whitton's attack exploited a security vulnerability related to linking a mobile phone number to a Facebook account. "This allows you to receive updates via SMS, and also means you can login using the number rather than your email address," he said in a blog post.

[ This Facebook threat is still afoot. Read Zeus Bank Malware Surges On Facebook. ]

Thanks to a flaw in how Facebook's PHP page handled SMS confirmations, however, Whitton identified a two-step attack technique that allowed him to associate an arbitrary mobile phone with anyone's Facebook account, then to initiate a password-reset process that allowed him to choose a new password for a targeted account, thus giving him complete access. The owner of the targeted account, meanwhile, would have had no indication that the hack was underway until she was no longer able to access her account.

Whitton's exploit took advantage of Facebook's mechanism for activating and using mobile texts with the social network. In the United States, one related set-up process involves sending a text message that contains only "fb" to 32654 (FBOOK) -- that text number varies for some other countries. After a slight delay, Facebook sends an SMS back to the mobile phone with an eight-character code that needs to be entered on a user's Mobile Settings page on Facebook's site before the link with the mobile phone can be activated.

Whitton's attack involved modifying the code used by the Mobile Settings form before it was submitted back to Facebook. In particular, he found that he could change the "profile_id" element -- which refers to the public ID number assigned to every Facebook account -- to any Facebook user's account ID. After submitting the form, Facebook would tie the mobile phone number used to that Facebook ID.

Next, an attacker could use Facebook's password-reset feature to request that a password-reset confirmation code be sent via SMS to the mobile phone that had just been authorized for the account. This code can then be entered into the password-reset screen on Facebook, and the password for a user's account changed to a password of the attacker's choosing. At that point, the attacker would have gained control of the targeted account.

"The bounty assigned to this bug was $20,000, clearly demonstrating the severity of the issue," Whitton said. Facebook's corresponding fix, meanwhile, was simple: "Facebook responded by no longer accepting the profile_id parameter from the user," he said.

As the bounty paid to Whitton suggests, disclosing software vulnerabilities can fetch big bucks. Microsoft earlier this month even dangled a maximum $100,000 bounty for "truly novel exploitation techniques."

While that's a substantial amount of money, the reality is that on the open market -- cybercrime underground -- such vulnerabilities might fetch far more. "I reckon that bug was worth more than $20k but that's still a nice chunk of cash for one vuln!" tweeted a Dublin-based information security researcher who goes by the name Security Ninja, referring to Whitton's Facebook bug bounty.

On the other hand, going the coordinated-disclosure route -- warning Facebook about the bug, rather than hawking it to bug buyers -- means getting to publicly reveal your role in helping responsibly patch a bug. That can be a good career move for someone like Whitton, who's an application security engineer by day, and a freelance information security researcher by night, who earns his living by testing Web applications and reviewing source code for bugs.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll