Facebook’s white hat program dished out another reward, as U.K.-based application security engineer Jack Whitton received $20,000 for alerting the social network about a bug that allowed him to take over other users’ Facebook accounts via text message.
Mashable reported on Whitton’s reward from Facebook, saying that the engineer discovered that he could trick the social network into sending him password reset codes for other users’ accounts if those accounts were linked to their mobile phone numbers.
Whitton described his findings in a post on his blog:
Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can log in using the number rather than your email address.
The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to.
The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error.
To exploit this bug, we first send the letter “F” to 32665, which is Facebook’s SMS short code in the U.K. We receive an eight-character verification code back.
We enter this code into the activation box (located here), and modify the profile_id element inside the fbMobileConfirmationForm form.
Submitting the request returns a 200. You can see the value of __user (which is sent with all AJAX requests) is different from the profile_id we modified.
Note: You may have to reauth after submitting the request, but the password required is yours, not the targets.
An SMS is then received with confirmation.
Now we can initiate a password reset request against the user and get the code via SMS.
Another SMS is received with the reset code.
We enter this code into the form, choose a new password, and we’re done. The account is ours.
Readers: Is Facebook doing enough to discover and fix vulnerabilities in its system?
White hat image courtesy of Shutterstock.