The bug was originally discovered by UK-based security researcher and bug hunter Jack Whitten. It relates to the way Facebook manages updates to mobile devices via SMS, he explained.
"Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can log in using the number rather than your email address. The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to," Whitten noted.
Whitten said that the flaw could potentially be used by criminals to hijack control of unwary users' Facebook accounts. "The thing is, profile_id is set to your account (obviously), but changing it to your target's doesn't trigger an error. To exploit this bug, we first send the letter F to 32665, which is Facebook's SMS shortcode in the UK. We receive an eight-character verification code back. We enter this code into the activation box, and modify the profile_id element inside the fbMobileConfirmationForm form," he wrote.
"Now we can initate a password reset request against the user and get the code via SMS. Another SMS is received with the reset code. We enter this code into the form, choose a new password, and we're done. The account is ours."
A Facebook spokesman confirmed to V3 it has since fixed the flaw, changing it so its systems no longer accept the profile_id parameter listed in Whitten's exploit from the user. The spokesman went on to thank Whitten for his help uncovering the exploit, listing it as a key victory in Facebook's ongoing bug bounty programme. "Facebook's White Hat programme is designed to catch and eradicate bugs before they cause problems. Once again, the system worked and we thank Jack for his contribution," the Facebook spokesman said.
He added the flaw could never have been automatically exploited, meaning its impact, even if targeted by hackers, would be limited. Despite the comment, other bug hunters have attacked Facebook, claiming Whitten has been drastically under-rewarded. Commentator Mohammad Husain wrote on his blog: "This is worth more than $20,000", while fellow blogger Shadôw Hawk added, "This issue is worthy [of a] million dollars".
Bug bounties are an increasingly common tactic used by tech companies to spot flaws in their systems, with big name firms like Google having established programmes. Most recently, security aggregator PacketStorm launched its own bug bounty programme, offering bug hunters as much as $7,000 for uncovering working exploits.
No comments:
Post a Comment