How To Hack Facebook In 60 Seconds - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


How To Hack Facebook In 60 Seconds

Facebook rewards U.K. researcher with $20,000 for discovering a mobile device confirmation bug that could be used to take control of any Facebook account.

 Facebook's Futuristic Data Center: Inside Tour
Facebook's Futuristic Data Center: Inside Tour
(click image for larger view and for slideshow)
Facebook has patched a flaw that could be exploited to hack into any user's account, using SMS messages, in less than 60 seconds. It also provided the information security researcher who discovered the previously undisclosed bug with a $20,000 "bug bounty" reward.

British information security researcher Jack Whitton, a.k.a. Fin1te, who discovered the bug, revealed this week that he'd reported the problem to Facebook on May 23. Just five days later, Facebook both acknowledged his bug report and told him the issue had been fixed. Wednesday, Facebook's bug bounty program -- which rewards researchers who privately disclose vulnerabilities to Facebook and wait to detail them publicly until after Facebook fixes the problem -- thanked Whitton "for making Facebook more secure with this great bug."

Whitton's attack exploited a security vulnerability related to linking a mobile phone number to a Facebook account. "This allows you to receive updates via SMS, and also means you can login using the number rather than your email address," he said in a blog post.

[ This Facebook threat is still afoot. Read Zeus Bank Malware Surges On Facebook. ]

Thanks to a flaw in how Facebook's PHP page handled SMS confirmations, however, Whitton identified a two-step attack technique that allowed him to associate an arbitrary mobile phone with anyone's Facebook account, then to initiate a password-reset process that allowed him to choose a new password for a targeted account, thus giving him complete access. The owner of the targeted account, meanwhile, would have had no indication that the hack was underway until she was no longer able to access her account.

Whitton's exploit took advantage of Facebook's mechanism for activating and using mobile texts with the social network. In the United States, one related set-up process involves sending a text message that contains only "fb" to 32654 (FBOOK) -- that text number varies for some other countries. After a slight delay, Facebook sends an SMS back to the mobile phone with an eight-character code that needs to be entered on a user's Mobile Settings page on Facebook's site before the link with the mobile phone can be activated.

Whitton's attack involved modifying the code used by the Mobile Settings form before it was submitted back to Facebook. In particular, he found that he could change the "profile_id" element -- which refers to the public ID number assigned to every Facebook account -- to any Facebook user's account ID. After submitting the form, Facebook would tie the mobile phone number used to that Facebook ID.

Next, an attacker could use Facebook's password-reset feature to request that a password-reset confirmation code be sent via SMS to the mobile phone that had just been authorized for the account. This code can then be entered into the password-reset screen on Facebook, and the password for a user's account changed to a password of the attacker's choosing. At that point, the attacker would have gained control of the targeted account.

"The bounty assigned to this bug was $20,000, clearly demonstrating the severity of the issue," Whitton said. Facebook's corresponding fix, meanwhile, was simple: "Facebook responded by no longer accepting the profile_id parameter from the user," he said.

As the bounty paid to Whitton suggests, disclosing software vulnerabilities can fetch big bucks. Microsoft earlier this month even dangled a maximum $100,000 bounty for "truly novel exploitation techniques."

While that's a substantial amount of money, the reality is that on the open market -- cybercrime underground -- such vulnerabilities might fetch far more. "I reckon that bug was worth more than $20k but that's still a nice chunk of cash for one vuln!" tweeted a Dublin-based information security researcher who goes by the name Security Ninja, referring to Whitton's Facebook bug bounty.

On the other hand, going the coordinated-disclosure route -- warning Facebook about the bug, rather than hawking it to bug buyers -- means getting to publicly reveal your role in helping responsibly patch a bug. That can be a good career move for someone like Whitton, who's an application security engineer by day, and a freelance information security researcher by night, who earns his living by testing Web applications and reviewing source code for bugs.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/12/2016 | 3:47:46 PM
Pending Review
This comment is waiting for review by our moderators.
User Rank: Apprentice
7/29/2013 | 3:49:49 PM
re: How To Hack Facebook In 60 Seconds
oh so evil no ways
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll