Skip to main content

HIJACKING A FACEBOOK ACCOUNT WITH SMS

This post will demonstrate a simple bug which will lead to a full takeover of any Facebook account, with no user interaction. Enjoy.
Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can login using the number rather than your email address.
The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, andprofile_id, which is the account to link the number to.
The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error.
To exploit this bug, we first send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. We receive an 8 character verification code back.
To exploit this bug, we first send the letter F to 51555, which is Facebook’s SMS shortcode in the India. We receive an 8 character verification code back.

image
We enter this code into the activation box (located here), and modify the profile_id element inside thefbMobileConfirmationForm form.
image
Submitting the request returns a 200. You can see the value of __user (which is sent with all AJAX requests) is different from the profile_id we modified.
image
Note: You may have to reauth after submitting the request, but the password required is yours, not the targets.
An SMS is then received with confirmation.
image
Now we can initate a password reset request against the user and get the code via SMS.
image
Another SMS is received with the reset code.
image
We enter this code into the form, choose a new password, and we’re done. The account is ours.
image

Fix

Facebook responded by no longer accepting the profile_id parameter from the user.

Timeline

23rd May 2013 - Reported
28th May 2013 - Acknowledgment of Report
28th May 2013 - Issue Fixed

Note

The bounty assigned to this bug was $20,000 to Hacker, clearly demonstrating the severity of the issue.

Comments

Popular posts from this blog

Click-jacking or UI Redressing

Hi! Just want to share my finding, I have found Click-jacking or UI Redressing Vulnerability in   on Google Map , enjoy ;-) This bug was reported to Google Security Team, fixed immediately. About Title:  ClickJacking or UI Redressing on Google Map Business Risk: Normal Discovery Date: October 8, 2013 Author: Jitendra Jaiswal (me) Poc Details   Impact On victim :  1. attacker change victim profile pic by useing his webcam and upload 2. update status acording to attacker Best, Jeet Jaiswal

Evil App Steal Facebook Access Token

Evil App Steal Facebook Access Token  Facebook say about this users Responsible for this its not an issue for facebook so After 3 month i am disclose this may be now they make some change but its still work .......  so users not allow any app to access your data on facebook or dont login anywhere using Facebook may be this an Attacker and After steal your Facebook Access Token he Can Hack your facebook Account  Easily....  [#] Title           :   Evil App Steal Facebook Access Token  [#] Status        :  Unfixed [#] Severity     :  very High [#] Works on  :  Any browser with any version [#] Homepage  :  www.facebook.com [#] Author       :  Jitendra Jaiswal [#] Email          :   jeetjaiswal0@gmail.com This Vulnerability is exploitable to all users who are use facebook apps and allow access of apps an attacker can modify all app setting in url Impact of Vulnerability: An attackers can store  user access token with 2 month no Expires also token not expire if user

'123456' giving tough competition to 'password' in Worst 25 Passwords of 2013

123456, password, 12345678, qwerty… or abc123 , How many of you have your password one of these??? I think quite a many of you. Even after countless warnings and advices given to the users by many security researchers, people are continuously using a weak strength of password chains. After observing many cyber attacks in 2013, we have seen many incidents where an attacker can predict or brute-force your passwords very easily. From 2012, the only change till now is that the string “ password ” has shifted to the second place in a list of the most commonly used passphrases and string “ 123456 ” has taken the first place recently, according to an annual " Worst Passwords " report released by SplashData , a password management software company They announced the annual list of 25 most common passwords i.e. Obviously the worst password that found on the Internet. The Most common lists of the passwords this year are " qwerty ," " abc123 ,&quo