Jack Whitton (aka "fin1te"), who's also a regular submitter to Google's and Etsy's bug bounty programs, has found a simple but critical bug that allowed attackers to gain access and take over random Facebook accounts by sending an SMS.
The attack relies on the fact that many users have a mobile number linked to their Facebook account, and that they can use the number instead of their email address to log into it.
"The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to," he explained in a blog post. "The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error."
Whitton has shared the step-by-step process with which the attacker effectively ties his own phone number with the target's account, and then submits a password reset request in order to get the account password reset code via SMS. After using the code to access the account and changing the password, the real owner is effectively locked out.
According to the researcher, Facebook confirmed the receipt of the report some 5 days after he had reported the bug in late May, and has fixed the flaw on the same day by making it so that the profile_id parameter from the user is no longer accepted.