A UK-based security researcher going by the name of “fin1te” has earned himself $20,000 after uncovering a way to hack into any account on Facebook, just by sending a mobile phone text message.
This should – obviously – have been impossible, but due to a weakness in Facebook’s tangled nest of millions and millions of lines in code, potentially hundreds of millions of accounts were vulnerable to hijacking through the simple technique.
Fin1te (real name Jack Whitten) has documented how the hack works on his blog.
The first thing to do is send the letter “F” in an SMS message to Facebook, as though you were legitimately registering your mobile phone with the social network. In the UK, the SMS shortcode for Facebook is 32665.
Facebook responds, via SMS, with an eight character confirmation code.
The normal sequence of events would be to enter that confirmation code into a Facebook form, and go on your merry way…
But fin1te discovered that a vulnerability existed on that form, that could be exploited to use the confirmation code he had been sent by Facebook via SMS with *anyone* else’s account.
What fin1te had uncovered was that one of the elements of the mobile activation form contained, as a parameter, the user’s profile ID. That’s the unique number associated with your intended target’s account.
Change the profile ID that is sent by that form to Facebook, and the social network might be duped into thinking you are someone else linking a mobile phone to their account.
Therefore, the first step needed to hijack someone’s account in this way requires your victim’s unique Facebook profile ID.
If you don’t know what someone’s numeric profile ID is, you can always look it up using freely-available tools – they aren’t supposed to be a secret.
Sure enough, fin1te was able to replace the profile ID parameter sent by his browser to Facebook with the unique number of the account he wanted to access…
.. and within seconds his his mobile phone was sent an SMS confirming that he had successfully connected the device to the account.
Success. A Facebook account now has a third-party’s mobile phone number associated with it. Without any need for malware or phishing. All that was done was to send an SMS text message.
The final stage of the account hijacking is straightforward. Facebook allows you to log into its system using your mobile number rather than an email address if you want, so at login you enter the mobile phone number you have associated with your victim’s account, and request a password reset via SMS.
Sure enough, fin1te discovered that Facebook duly sent him the password reset code for the account – meaning he could change the account’s password, and lock out its legitimate user.
This is an incredibly simple but powerful way to take over anybody’s Facebook account.
The good news is that fin1te disclosed the vulnerability responsibly to Facebook, rather than exploited it for malicious intentions or sold it to other parties. Facebook has fixed the problem so others can no longer take advantage of this serious security hole. For his troubles, Facebook awarded fin1te a hefty $20,000 worth of bug bounty and fixed the vulnerability.
But there’s no doubt that on the underground market, perhaps sold to cybercriminals or intelligence agencies, fin1te’s discovery could have earned him even more money.
Who knows what other serious security vulnerabilities may lay inside Facebook that haven’t been responsibly reported to the company’s security team?
If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:
Smashing Security #75: 'Quitting Facebook'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
I think the guy got paid 20k USD rather than GBP.
You're quite correct. I've fixed the article. Poor guy – that's even worse than £20,000!
Thanks Martijn.
Does this method still work or has it been fixed
The vulnerability has been fixed.
Interesting stuff… Gives one food for thought.
Retard! He should have kept that method to himself and controlled accounts that had big fan pages. He could have made 20k+ per day from posting on big fan pages.
Some people have ethics, you know?
should have been awarded more.. unlucky!!
Awesome
my account got hacked and the hacker got my facebookpage do you know any one in facebook that can hrlp or can you hack him for me all i have is his ip address
I am facing some problem to open my facebook account and someone hacked my account and they changed everything under setting, please can you send me the password to open that account
Can u please help me hack my wife's fb account I know she's cheating thanks
Err. No
Pls…… give me a video…
Hii thanks for your info. I am from India and I want to hack some cheaters facebook account. But as you mentioned that the first thing we have to do is to send a message contains letter f to facebook. But to which number should I need to send as I was in India
Send your contact details to Facebook's security team. I'm sure they'll be interested in what you're trying to do…
How can I hackf FB account I want to hack could you please hack this account.
Some dumb individuals read your blog…
my id suspended how can open my id please solve my problem and open my id
Can the person track your number, especially if they have your contact number?
IT IS IMPOSSIBLE TO GET A DIRECT NUMBER TO FACEBOOK
SECURITY! YOU GET THE 800 NUMBER FOR FACEBOOK CORPORATION IN CALF
BUT THEN YOU GET A RECORDING! THIS IS CRAZY! THEY SHOULD LEGALLY
HAVE A DIRECT NUMBER SINCE THEY TAKE PEOPLE MONEY THRU PAYPAL,
MASTERCARD AND VISTA!HELP ANYONE!
i am facing a problem with my facebool ID i just set the
mobile login approval on my account but someone hack my ID and nw i
am not getting a verification code and with that i don`t have any
device in which i was login before and the 3rd thing is i am also
not able to see my number on the verification code page
hey, im having trouble on the part where you
"alter parameter ids from your own to the victim"
where do I go to do that? what form is it? is it under our
settings? im so lost on that part.
I have reported many times, a fake facebook account someone
made under my name. Friends have reported it, and yet Facebook does
nothing about it. Do you know what else can I do? Thank you! I have
a USER ID but i Cant get an email from this fake profile, an email
would probably help to find out who did it!
i know a security issue of facebook by which anyone can send message to anyone s profile as anyone on facebook… i want to contact facebook security team but how??
Details on how to report Facebook vulnerabilities:
https://www.facebook.com/whitehat
was wondering the other day I was on my facebook and I was
chatting with someone and it got weird acting the home page and a
chat box open and I was talking to someone in another chat box on
there and the other chat box had no name or anything but said dummy
on it and then it went away , did you even here of this and I only
have 3 people on my facebook
After finding out someone was pretending to be a specific model, I told this individual of my findings and then they blocked me. Someone else already reported this person and nothing has been done to strip the profile from facebook. Why doesn't facebook do anything about fake profiles? Thank you.
PLEASE HELLPPPP!!!
i was adding a ph. no to my fb account. and the no. added was the id of my 2nd account and now I am not being able to access my 2nd account. Both the accounts have same password and id and still both are active. Now, when I type the id and password i can access only one account.
Now, how to access the other one??? What went wrong??
you mean to say that facebook does not actually hide the number they ask for confirmation code??
Am failling to open my account due to login approvals codes
that i secured. I lost my codes so help me out.
Its free or does it cost something…..
He said the vulnerability has been patched. As if
he's going to hack an account for you even if it
wasn't patched, how stupid are you people? If
you're worried about Facebook security, then
don't post things you wouldn't want getting out.
Or better still, get rid of your FB account, seriously, why anyone
would want to openly profile themselves on the internet is beyond
me. You're handing all the blackhats out there a gift
should they decide to target you. All for what? Some narsisistic
self glorification? Anyone who is serious about security either
understands the risks, and works accordingly or they don't
have a FB account. I got rid of mine and i miss nothing (except
hourly updates on what people are eating, when their house is
empty, and how special they think they are because they had a
child, like people haven't done that for thousands of
years!) . Facebook will go down as one of the biggest scams in
history for obtaining endless quantities of personal information
for free from willing participants who blindly enter in all their
details, then they sell it on to advertisers who can then target
advertising at these people. BTW Graham, nice blog mate, read it
daily is a beauty.
Millions of lines of code should be no excuse. At some
point, someone who should have known better has broken a
fundamental principle of website security design. Facebook must
have code-review procedures that are followed before any code goes
live, so someone should have reviewed that code to ensure that it
followed basic security principles. You should never rely on a
username or ID sent from the web browser to authenticate a request
unless the ID is accompanied by a password that only the real
account holder could know, or unless the request is part of a
session that has already been authenticated. This demonstrates a
systematic failure in Facebook’s security procedures. If they can
make such basic errors then can we really trust any such
organisation?
my fb id has been disabled !! :( :(
i dnt have either a passport or a driving license that they ask for :'(
how can i get my id back as it was my life :/ :( :'(
plzz help me !!
oh my gosh all the real morons come out to comment on a story like this one…
graham, would two factor facebook auth have made any difference here? i'm guessing not, because the third party cellphone would be able to generate a working one time pin as well, or am i wrong here?
facebook & yahoo is verrry poor in security
Are all these noobs retarded? "Help me to hack facebook accounts"!
I'm glad you don't discriminate (read censor), otherwise i couldn't lmao with these peeps! ;)
Are all these noobs retarded? "Help me to hack facebook accounts"!
I'm glad you don't discriminate (read censor), otherwise i couldn't lmao with these peeps! ;