Facebook has recently fixed a vulnerability that could have allowed hackers to easily hijack any Facebook account by leveraging the feature that allows users to receive updates via SMS by linking their accounts to their mobile phone number.According to UK-based researcher Jack Whitton, the man who identified the flaw, the vulnerability existed in the “/ajax/settings/mobile/ confirm_phone.php” end-point.
The expert found that changing the “profile_id” parameter, which stores the account the phone number is linked to, didn’t trigger an error.
The attacker would first need to obtain an 8-character verification code by sending the letter F to the Facebook SMS shortcode.
By modifying the “profile_id” parameter inside the “fbMobileConfirmationForm” form and by entering the received verification code into this activation box, the attacker could have gained access to the Facebook accounts associated with the “profile_id.”
At this point, the targeted account’s password could have been easily changed.
Facebook was notified of the issue on May 23, 2013. The company addressed it five days later by no longer accepting the “profile_id” parameter from the user.
A detailed proof-of-concept of the attack is available here.