You are on page 1of 8

Facebook Tips by Spyboy456

How to hack any Facebook account in under a


minute, by sending just one SMS
Graham Cluley | June 28, 2013 8:28 am | Filed under: Facebook, Mobile, Privacy, Vulnerability |

Share

111

89
A UK-based security researcher going by the name of
“fin1te” has earned himself $20,000 after uncovering a way to hack into any
account on Facebook, just by sending a mobile phone text message.

This should – obviously – have been impossible, but due to a weakness in


Facebook’s tangled nest of millions and millions of lines in code, potentially
hundreds of millions of accounts were vulnerable to hijacking through the simple
technique.

Fin1te (real name Jack Whitten) has documented how the hack works on
his blog.
The first thing to do is send the letter “F” in an SMS message to Facebook, as
though you were legitimately registering your mobile phone with the social
network. In the UK, the SMS shortcode for Facebook is 32665.
Facebook responds, via SMS, with an eight character confirmation code.

The normal sequence of events would be to enter that confirmation code into a
Facebook form, and go on your merry way…

But fin1te discovered that a vulnerability existed on that form, that could be
exploited to use the confirmation code he had been sent by Facebook via SMS
with *anyone* else’s account.

What fin1te had uncovered was that one of the elements of the mobile activation
form contained, as a parameter, the user’s profile ID. That’s the unique number
associated with your intended target’s account.

Change the profile ID that is sent by that form to Facebook, and the social
network might be duped into thinking you are someone else linking a mobile
phone to their account.
Therefore, the first step needed to hijack someone’s account in this way requires
your victim’s unique Facebook profile ID.

If you don’t know what someone’s numeric profile ID is, you can always look it up
usingfreely-available tools – they aren’t supposed to be a secret.

Sure enough, fin1te was able to replace the profile ID parameter sent by his
browser to Facebook with the unique number of the account he wanted to
access…
.. and within seconds his his mobile phone was sent an SMS confirming that he
had successfully connected the device to the account.
Success. A Facebook account now has a third-party’s mobile phone number
associated with it. Without any need for malware or phishing. All that was done
was to send an SMS text message.

The final stage of the account hijacking is straightforward. Facebook allows you
to log into its system using your mobile number rather than an email address if
you want, so at login you enter the mobile phone number you have associated
with your victim’s account, and request a password reset via SMS.
Sure enough, fin1te discovered that Facebook duly sent him the password reset
code for the account – meaning he could change the account’s password, and
lock out its legitimate user.

This is an incredibly simple but powerful way to take over anybody’s Facebook
account.

The good news is that fin1te disclosed the vulnerability responsibly to Facebook,
rather than exploited it for malicious intentions or sold it to other parties.
Facebook has fixed the problem so others can no longer take advantage of this
serious security hole. For his troubles, Facebook awarded fin1te a hefty $20,000
worth of bug bounty and fixed the vulnerability.

But there’s no doubt that on the underground market, perhaps sold to


cybercriminals or intelligence agencies, fin1te’s discovery could have earned him
even more money.

Who knows what other serious security vulnerabilities may lay inside Facebook
that haven’t been responsibly reported to the company’s security team?
If you are on Facebook, and want to be kept up to date on the latest privacy and
security risks threatening users, be sure to Like the “Graham Cluley Security
News” Facebook page .

You might also like