Pierluigi Paganini
June 27, 2013
Facebook hacked again, this time hackers have done it without using any other malicious code neither user interaction. UK based Security Researcher, “fin1te” revealed that attack could compromise any Facebook account in less than a minute simply exploiting an SMS message.
The hacker exploits the possibility provided by Facebook to link user’s mobile number with user’s account, the feature allows him to receive updates via SMS and to login using the number rather than the email address.
The hackers have found a bug the component
/ajax/settings/mobile/confirm_phone.php
which receive various parameters, most importantly for the hack are “code” (verification code received via mobile), and “profile_id” (account identifier linked the number).
The webpage works in the background when user submits his phone number and verification code, sent by Facebook to mobile. Despite the parameter profile_id is linked to the user’s account it’s modification to the hacker’s target doesn’t trigger an error.
Following the sequence of the attack to Facebook described by “fin1te”:
Change value of profile_id to the Victim’s profile_id value by tampering the parameters.
Send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. The attacker will receive an 8 character verification code back.
Use the received verification Box entering it in the box or providing it as value for the parameter confirmation_code and Submit the form.
The attack is completed, Facebook will accept the confirmation code linking the attacker’s mobile number to victim’s Facebook profile and allowing the attacker to impersonate him.
At this point the attacker just has to execute the procedure for “Password forgotten” and initiate the password reset request against of the victim’s account.
“Attacker now can get password recovery code to his own mobile number which is linked to the victim’s account using the above steps. Enter the code and Reset the password!”
Facebook response was very fast no longer accepting the profile_id parameter from the user end after the warning provided by fin1te that also received from the company $20,000 as recompense for the Bug Bounty program.
Pierluigi Paganini
(Security Affairs – Facebook, hacking )
