How to hack any Facebook account in under a minute, by sending just one SMS

By -
Fin1te (real name Jack Whitten) has documented how the hack works on his blog.
The first thing to do is send the letter "F" in an SMS message to Facebook, as though you were legitimately registering your mobile phone with the social network. In the UK, the SMS shortcode for Facebook is 32665.
Send an SMS to Facebook
Facebook responds, via SMS, with an eight character confirmation code.
The normal sequence of events would be to enter that confirmation code into a Facebook form, and go on your merry way...
Facebook mobile activation form
But fin1te discovered that a vulnerability existed on that form, that could be exploited to use the confirmation code he had been sent by Facebook via SMS with *anyone* else's account.
Learn more about security issues on Facebook, and get early warning on scams and scares, by joining thousands of others and liking the Graham Cluley Security News Facebook page today.
What fin1te had uncovered was that one of the elements of the mobile activation form contained, as a parameter, the user's profile ID. That's the unique number associated with your intended target's account.
Profile ID parameter inside form
Change the profile ID that is sent by that form to Facebook, and the social network might be duped into thinking you are someone else linking a mobile phone to their account.
Therefore, the first step needed to hijack someone's account in this way requires your victim's unique Facebook profile ID.
If you don't know what someone's numeric profile ID is, you can always look it up usingfreely-available tools - they aren't supposed to be a secret.
Find a Facebook profile ID
Sure enough, fin1te was able to replace the profile ID parameter sent by his browser to Facebook with the unique number of the account he wanted to access...
Facebook hack data
.. and within seconds his his mobile phone was sent an SMS confirming that he had successfully connected the device to the account.
Facebook confirmation SMS
Success. A Facebook account now has a third-party's mobile phone number associated with it. Without any need for malware or phishing. All that was done was to send an SMS text message.
The final stage of the account hijacking is straightforward. Facebook allows you to log into its system using your mobile number rather than an email address if you want, so at login you enter the mobile phone number you have associated with your victim's account, and request a password reset via SMS.
Facebook password reset code
Sure enough, fin1te discovered that Facebook duly sent him the password reset code for the account - meaning he could change the account's password, and lock out its legitimate user.
This is an incredibly simple but powerful way to take over anybody's Facebook account.
The good news is that fin1te disclosed the vulnerability responsibly to Facebook, rather than exploited it for malicious intentions or sold it to other parties. Facebook has fixed the problem so others can no longer take advantage of this serious security hole. For his troubles, Facebook awarded fin1te a hefty $20,000 worth of bug bounty and fixed the vulnerability.
But there's no doubt that on the underground market, perhaps sold to cybercriminals or intelligence agencies, fin1te's discovery could have earned him even more money.
Who knows what other serious security vulnerabilities may lay inside Facebook that haven't been responsibly reported to the company's security team?

Comments

Post a Comment

Popular posts from this blog

HACK EMAIL-ID,USERNAME AND PASSWORD OR ANY USER DETAILS BY USING KALI LINUX.

By -
Image
HACK EMAIL-ID,USERNAME AND PASSWORD OR ANY USER DETAILS BY USING  KALI LINUX . Today,i am going to show you how you can get email-id,username and password or any user details you want by using  KALI LINUX . STEPS FOR SETTING UP YOUR SYSTEM. Download Kali Linux from   here . Extract the contents of Kali Linux iso file which you  downloaded in step and copy it to pendrive or instead of pendrive burn the iso file in cd if you want to make a cd of it. After copying all contents to pendrive or burning the iso file in cd,reboot you system,press F8 on boot-time and select boot from pendrive if you have copied all the files in pendrive,else boot from cd-rom if you burn the iso file in cd. After selecting the boot from device,the kali installation window will open,install accordingly as per your requirement. NOTE:During installation,in mount point of selected installation drive,set mount point to  "/" . Remember the username and password while installation as this will
Read more

Port Fail Vulnerability : Critical VPN Vulnerability

By -
Image
Port Fail Vulnerability : Critical VPN Vulnerability How Port Fail Vulnerability Exposes your REAL IP on SKYPE Using Port Fail Vulnerability it’s possible to disclose the real IP of a Skype accounts you’re interested in. There are a bunch of Skype IP resolvers which can give you the VPN IP address and port number of a Skype user using only their Skype login. Then you need to use the same thing a copyright monitoring company would use — send some UDP packets to the whole internet on the exact port. It’s remarkable but Skype will send you a reply for almost any data! The nping utility from  nmap  package suits our needs very well: # nping --udp -p 13318 --data-string 'hellothere!' -c 1 serv.valdikss.org.ru Starting Nping 0.7.00 ( https://nmap.org/nping ) at 2015-12-20 19:54 MSK SENT (0.0157s) UDP 195.154.127.59:53 > 92.42.31.8:13318 ttl=64 id=10802 iplen=39  RCVD (0.0859s) UDP 185.61.149.121:4272 > 195.154.127.59:53 ttl=54 id=1534 iplen=32    Max rtt: N/A | M
Read more