The Inquirer-Home

Facebook pays a $20,000 bug bounty for an account hijacking flaw

Social network fixes the SMS account vulnerability
Fri Jun 28 2013, 13:50
Facebook

SOCIAL NETWORK Facebook has fixed a critical flaw that left users' accounts open to hacking attacks, shelling out a huge $20,000 bounty to the bug hunter who found the vulnerability.

The bug was discovered by UK based security researcher and bug hunter Jack Whitten. He said that the flaw was related to the way Facebook managed updates to mobile devices via SMS.

"Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can log in using the number rather than your email address. The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to," Whitten explained.

Whitten said that the flaw could potentially have been used by criminals to hijack control of unwary users' Facebook accounts. "The thing is, profile_id is set to your account (obviously), but changing it to your target's doesn't trigger an error. To exploit this bug, we first send the letter F to 32665, which is Facebook's SMS shortcode in the UK. We receive an eight-character verification code back. We enter this code into the activation box, and modify the profile_id element inside the fbMobileConfirmationForm form," he wrote.

"Now we can initate a password reset request against the user and get the code via SMS. Another SMS is received with the reset code. We enter this code into the form, choose a new password, and we're done. The account is ours."

A Facebook spokesman told The INQUIRER that it has since fixed the flaw, changing the code so its systems no longer accept the profile_id parameter listed in Whitten's report.

The spokesman went on to thank Whitten for his help in uncovering the exploit, listing it as a key victory in Facebook's ongoing bug bounty programme. "Facebook's White Hat programme is designed to catch and eradicate bugs before they cause problems. Once again, the system worked and we thank Jack for his contribution," the Facebook spokesman said.

He added that the flaw could never have been automatically exploited, meaning its impact, even if targeted by hackers, would have been limited. Despite that comment, other bug hunters have attacked Facebook, claiming that it drastically under-rewarded Whitten. Commentator Mohammad Husain wrote on his blog, "This is worth more than $20,000," while fellow blogger Shadôw Hawk added, "This issue is worthy [of a] million dollars."

Bug bounties are an increasingly common tactic used by information technology companies to spot flaws in their systems, with big name firms like Google having established reward programmes.

Most recently, security aggregator PacketStorm launched its own bug bounty programme, offering bug hunters as much as $7,000 for uncovering working exploits. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?