Friday, 5 July 2013

Hacking Facebook Account with just a text Message


Can you ever imagine that a single text message is enough to hack any Facebook account without user interaction or without using any other malicious stuff like Trojans, phishing, keylogger etc. ?

Today we are going to explain you that how a UK based Security Researcher, "fin1te" is able to hack any Facebook account within a minute by doing one SMS.


Because 90% of us are Facebook user too, so we know that there is an option of linking your mobile number with your account, which allows you to receive Facebook account updates via SMS directly to your mobile and also you can login into your account using that linked number rather than your email address or username.
According to hacker, the loophole was in phone number linking process, or in technical terms, at file /ajax/settings/mobile/confirm_phone.php

This particular webpage works in background when user submit his phone number and verification code, sent by Facebook to mobile. That submission form having two main parameters, one for verification code, and second is profile_id, which is the account to link the number to.


As attacker, follow these steps to execute hack: 
  1. Change value of profile_id to the Victim's profile_id value by tampering the parameters.
  2. Send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. You will receive an 8 character verification code back.
  3. Enter that code in the box or as confirmation_code parameter value and Submit the form.

Facebook will accept that confirmation code and attacker's mobile number will be linked to victim's Facebook profile.

In next step hacker just need to go to Forgot password option and initiate the password reset request against of victim's account.

Attacker now can get password recovery code to his own mobile number which is linked to victim's account using above steps. Enter the code and Reset the password!

Facebook no longer accepting the profile_id parameter from the user end after receiving the bug report from the hacker.

In return, Facebook paying $20,000 to fin1te as Bug Bounty.
Posted by at

8 comments:

  1. Anonymous2 September 2013 at 02:13

    Just want to say your article is as astounding. The clarity on your submit is just
    nice and i can suppose you're a professional on this subject.
    Well together with your permission allow me to snatch your RSS feed to stay updated with approaching post.
    Thank you 1,000,000 and please continue the enjoyable work.



    Feel free to visit my website - text messages

    ReplyDelete
    Replies
    1. Anonymous31 March 2022 at 11:52

      Learning Zone: Hacking Facebook Account With Just A Text Message >>>>> Download Now

      >>>>> Download Full

      Learning Zone: Hacking Facebook Account With Just A Text Message >>>>> Download LINK

      >>>>> Download Now

      Learning Zone: Hacking Facebook Account With Just A Text Message >>>>> Download Full

      >>>>> Download LINK 8f

      Delete
  2. Anonymous2 September 2013 at 02:14

    Heya just wanted to give you a quick heads up and let you know
    a few of the pictures aren't loading properly.
    I'm not sure why but I think its a linking issue.
    I've tried it in two different web browsers
    and both show the same results.

    Also visit my web page; discuss

    ReplyDelete
  3. Anonymous10 September 2013 at 06:07

    I couldn't resist commenting. Well written!

    Here is my webpage ... discuss

    ReplyDelete
  4. Anonymous16 September 2013 at 13:45

    Neat blog! Is your theme custom made or did you download it from somewhere?
    A design like yours with a few simple tweeks would really make my blog jump out.
    Please let me know where you got your theme. Kudos

    My site; mobile marketing

    ReplyDelete
  5. Anonymous21 September 2013 at 00:07

    I visited many web pages however the audio quality for audio songs current
    at this site is genuinely excellent.

    my homepage ... canon eos 500d

    ReplyDelete
  6. Anonymous26 September 2013 at 17:42

    Of course I could point out that although the London riots
    may have happened so quickly because of new technology, the use of Twitter and mobile phones was also invaluable in cleaning
    up and getting London back on its feet. s also rumors on the internet that a 1000 gigabyte USB flash drive will soon be available on the consumer market.

    He was so confident that the hacker was no very good
    and chatted with me to make positive I do not contact Pay - Pal.



    Feel free to visit my web page ... pirater un compte facebook en ligne (pirater-un-compte-facebook.bittovore.com)

    ReplyDelete
  7. Anonymous31 March 2022 at 11:52

    Learning Zone: Hacking Facebook Account With Just A Text Message >>>>> Download Now

    >>>>> Download Full

    Learning Zone: Hacking Facebook Account With Just A Text Message >>>>> Download LINK

    >>>>> Download Now

    Learning Zone: Hacking Facebook Account With Just A Text Message >>>>> Download Full

    >>>>> Download LINK

    ReplyDelete

Subscribe to: Post Comments (Atom)