Using SMS to hijack a Facebook account

This article demonstrates a simple vulnerability. This vulnerability allows you to gain full control of any Facebook account without any user interaction. See the following.

Facebook allows you to associate your mobile phone number with your account. This allows you to receive updated information via SMS, and also means you can log on through the mobile phone number instead of the email address.

The vulnerability is located in "/ajax/settings/mobile/confirm_phone.php ". It accepts multiple parameters, but has two of the most important parameters: one is the verification code sent to the mobile phone, and the other is profile_id, which is the associated account of the mobile phone number.

The key issue is that, although profile_id should be set as your own account (obviously), changing it to the value of the target account will not cause any errors.

To exploit this vulnerability, we first sent the letter F to Facebook's SMS service number 32665 in the UK. In the reply text message, we can get a Verification Code of 8 characters.

 

 

Enter the verification code in the password box (here) and modify the profile_id element in the fbMobileConfirmationForm form.

 

 

After the request is submitted, a success (HTTP 200) is returned ). You will find that the value of _ user (sent together with the AJAX request) is different from the profile_id we modified.

 

 

Note: After you submit this request, you may have to re-authenticate it, but the password you want to enter is your own, instead of the target account.

Then you will receive a text message indicating that the authentication is successful.

 

 

Now, for logged-on users, we can submit a password reset request and set a reset verification code through SMS.

 

 

Then you will receive a new text message containing the reset verification code.

 

 

We entered the verification code in the form and changed the password so that the entire process was completed. This account is under our control.

 

 

Solution

Facebook no longer accepts the profile_id variable submitted by users.

Vulnerability handling

2013.05.23-vulnerability feedback to Facebook

2013.05.28-Facebook confirmed the Vulnerability

2013.5.28-problem fixed

Note:

The vulnerability is worth up to $20 thousand, reflecting the severity of the vulnerability.