A UK-based security researcher going by the name of Jack Whitton a.k.a "fin1te" has ea...
A UK-based security researcher going by the name of Jack Whitton a.k.a "fin1te" has earned $20.000 after successfully dismantle a security loophole on facebook with high vulnerable and can showing or stealing another account just by using your mobile phone using Facebook SMS.
How its Interesting?
Money worth $ 20,000 was given up because the gap is considered extremely dangerous for the discovery of this "social networking empire". After the simulation, we can take over (stealing) someone account in less than 60 seconds.
If we calculate the time of the action in just 60 seconds certainly will not make sense. Maybe at first we thought Facebook SMS only used to update the status via SMS. But you know what? in fact, we already have information stored data ie email and our personal number (which is used to log into facebook). It will be the big thing, millions of lines of code in the SMS Facebook has a security hole that is worth $ 20,000.
What is revealed by fin1te?as documented by Jack Whitton on his blog titled " Hijacking A FACEBOOK ACCOUNT WITH SMS ", there is a weakness code on end-point /ajax/settings/mobile/confirm_phone.php. Actually it requires a lot of parameters in order to function optimally, but the main thing to note is that the weakness <code> where we receive verification code via mobile phones and also profile_id which also connected to our numbers.
Experiments conducted is by changing profile_id parameter with other people profile_id (eg your target) and after not giving any error, it's mean this method is allowed. Here is the golden door used fin1te for pocketing money of $ 20,000.
Let's do it!!!
To use this loophole, the first step we have to do is send a FB message to number 32 654 (this number varies in each country). After that, we will receive a code that consists of 8 characters.
Changing the value on elements profil_id through Inspect Element feature contained in the browser (Chrome & Mozilla) by right click.
If you have difficulty to find the profile ID, you can use the tools http://findmyfacebookid.com and you just simply enter the profile URL.
After changing the target profil_id element, submit Confirm to submit the data that has been modified to ensure the suitability of data transmitted over the data Headers.
And in a few seconds, facebook will send you the information that we have confirmed to use Facebook Mobile.
Final step is to execute the target account by sending the Reset Password feature is also available on Facebook Mobile (of course, we've logged into the Facebook mobile using the above). And just in seconds, facebook will give a "sharp knife" to rip off the target account.
Warning of fin1te been fixed by now facebook, and facebook has no longer receive profile_id parameter from the user.
And I took from the record fin1te Timeline of the blog, here's a date documentation does:
- 23rd May 2013 - Reported
- 28th May 2013 - Acknowledgment of Report
- 28th May 2013 - Issue Fixed