Nytro Posted June 27, 2013 Report Posted June 27, 2013 [h=2]Hijacking a Facebook Account with SMS[/h]This post will demonstrate a simple bug which will lead to a full takeover of any Facebook account, with no user interaction. Enjoy. Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can login using the number rather than your email address. The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to. The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error. To exploit this bug, we first send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. We receive an 8 character verification code back. We enter this code into the activation box (located here), and modify the profile_id element inside the fbMobileConfirmationForm form. Submitting the request returns a 200. You can see the value of __user (which is sent with all AJAX requests) is different from the profile_id we modified. Note: You may have to reauth after submitting the request, but the password required is yours, not the targets. An SMS is then received with confirmation. Now we can initate a password reset request against the user and get the code via SMS. Another SMS is received with the reset code. We enter this code into the form, choose a new password, and we’re done. The account is ours. [h=4]Fix[/h] Facebook responded by no longer accepting the profile_id parameter from the user. [h=4]Timeline[/h] 23rd May 2013 - Reported28th May 2013 - Acknowledgment of Report28th May 2013 - Issue Fixed [h=4]Note[/h] The bounty assigned to this bug was $20,000, clearly demonstrating the severity of the issue.Sursa: http://blog.fin1te.net/post/53949849983/hijacking-a-facebook-account-with-sms Quote
mah_one Posted June 27, 2013 Report Posted June 27, 2013 Am si eu o problema raportata exact acolo, pe 08.05, nu era profile_id, ideea era ca puteai sa iti atribui orice numar de telefon fara a mai fi nevoie de codul_sms, puteam sa pun si 072222222 si nu eram nevoit sa pun sms_code, probabil au schimbat si au gresit din nou. Mie mi-au raspuns dupa cateva saptamani cu o intrebare idioata si de atunci nu am mai avut nici un semn de la ei.M-am uitat acum la ce le-am trimis atunci si nu era nici un profile_id. Quote
dirtycash Posted June 27, 2013 Report Posted June 27, 2013 Mi se pare ca au rezolvat problema asta... Am vazut si eu pe Hacker News... Quote
