Facebook squashes critical account hijacking bug
Posted on 27 June 2013.
A U.K.-based security researcher has shared details of a recently patched Facebook vulnerability that he discovered and for which he received $20,000 via the the social network's bug bounty program.

Jack Whitton (aka "fin1te"), who's also a regular submitter to Google's and Etsy's bug bounty programs, has found a simple but critical bug that allowed attackers to gain access and take over random Facebook accounts by sending an SMS.

The attack relies on the fact that many users have a mobile number linked to their Facebook account, and that they can use the number instead of their email address to log into it.

"The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to," he explained in a blog post. "The thing is, profile_id is set to your account (obviously), but changing it to your targetís doesnít trigger an error."

Whitton has shared the step-by-step process with which the attacker effectively ties his own phone number with the target's account, and then submits a password reset request in order to get the account password reset code via SMS. After using the code to access the account and changing the password, the real owner is effectively locked out.


According to the researcher, Facebook confirmed the receipt of the report some 5 days after he had reported the bug in late May, and has fixed the flaw on the same day by making it so that the profile_id parameter from the user is no longer accepted.









Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //