Facebook squashes critical account hijacking bug
Posted on 27 June 2013.
A U.K.-based security researcher has shared details of a recently patched Facebook vulnerability that he discovered and for which he received $20,000 via the the social network's bug bounty program.

Jack Whitton (aka "fin1te"), who's also a regular submitter to Google's and Etsy's bug bounty programs, has found a simple but critical bug that allowed attackers to gain access and take over random Facebook accounts by sending an SMS.

The attack relies on the fact that many users have a mobile number linked to their Facebook account, and that they can use the number instead of their email address to log into it.

"The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to," he explained in a blog post. "The thing is, profile_id is set to your account (obviously), but changing it to your targetís doesnít trigger an error."

Whitton has shared the step-by-step process with which the attacker effectively ties his own phone number with the target's account, and then submits a password reset request in order to get the account password reset code via SMS. After using the code to access the account and changing the password, the real owner is effectively locked out.


According to the researcher, Facebook confirmed the receipt of the report some 5 days after he had reported the bug in late May, and has fixed the flaw on the same day by making it so that the profile_id parameter from the user is no longer accepted.









Spotlight

Review: Bulletproof SSL and TLS

Posted on 12 September 2014.  |  Deploying SSL or TLS in a secure way is a great challenge for system administrators. This book aims to simplify that challenge by offering extensive knowledge and good advice - all in one place.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 15th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //