Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Facebook pays $20K for easily exploitable flaw that could have led to account hijackings

28 Jun 2013 2 Facebook, Mobile, Security threats, Vulnerability
Facebook pays $20K for easily exploitable flaw that could have led to account hijackings

Post navigation

Previous: Facebook leaks are a lot leakier than Facebook is letting on
Next: Google adds (some) malware and phishing info to Transparency Report
by Lisa Vaas

Like money, image courtesy of ShutterstockFacebook has paid out $20,000 for a serious bug that could have allowed an attacker to hijack anyone’s account with ease, with no user interaction on the part of the victim.

Jack Whitten, the UK-based application-security engineer (by day) and security researcher (by night) who discovered the flaw, said in a post mortem on Wednesday that he reported the hole to Facebook on 23 May and that it was fixed by 28 May.

The exploit was enabled by manipulating the way that Facebook handles updates to mobile phones via SMS.

As it is, Whitten explains, Facebook gives users the option of linking their mobile numbers with their accounts.

Users then can receive updates via SMS and can also login using their phone number rather than their email address.

Whitten found that when sending the letter F to Facebook’s SMS shortcode – which is 32665 in the UK – Facebook returned an 8-character verification code.

After submitting the code into the activation box and fiddling with the profile_id form element, Facebook sent Whitten back a _user value that was different from the profile_id that Whitten modified.

Whitten says that trying the exploit might have led to having to reauthorize after submitting the request, but he could do that with his own password instead of trying to guess at his target’s password.

After that point, Facebook was sending an SMS confirmation. From there, Whitten said, an intruder could initiate a password reset request on his targeted user’s account and get the code back, again via SMS.

After a reset code is sent via SMS, the account is hijacked, Whitten wrote:

We enter this code into the form, choose a new password, and we're done. The account is ours.

Bandage on thumb, image courtesy of ShutterstockFacebook closed the security hole by no longer accepting the profile_id parameter from users.

This could have been a valuable flaw were it to fall into the hands of attackers who might have used it to steal personal data or send out spam.

As it is, one commenter on Whitten’s post who obviously didn’t understand the “it’s now fixed” part of the story made the bug’s value clear with his or her eagerness to figure out how to exploit it:

›khalil0777 • a day ago

someone explain me how to exploit it i am realyy need it i wait your helps friends :/

:/ oh well, ›khalil0777, looks like you’re too late for that party.

I’d say better luck next time, but perhaps instead I’ll save my good wishes for Mr. Whitten.

May he enjoy his $20,000.

It was well-earned, and it’s a bargain for Facebook even were the reward to be doubled, considering the grief that could have been caused by such an easy exploit.


Images of money and thumbs up courtesy of Shutterstock.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Facebook leaks are a lot leakier than Facebook is letting on
Next: Google adds (some) malware and phishing info to Transparency Report

2 comments on “Facebook pays $20K for easily exploitable flaw that could have led to account hijackings”

  1. Vijay Kumar (vjbadstreetboyz) says:
    July 1, 2013 at 9:30 pm

    This looks to be awesome….! Nice work by Mr. Whitten…

    Reply
  2. Dhiman De says:
    July 8, 2013 at 8:08 am

    Surprising ….. !! Mr . Whitten … should be rewarded more ..

    Reply

What do you think? Cancel reply

Recommended reads

Jan12
by Paul Ducklin
12

S3 Ep117: The crypto crisis that wasn’t (and farewell forever to Win 7) [Audio + Text]

Dec05
by Paul Ducklin
2

Ping of death! FreeBSD fixes crashtastic bug in network tool

Dec15
by Paul Ducklin
0

S3 Ep113: Pwning the Windows kernel – the crooks who hoodwinked Microsoft [Audio + Text]

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP