UK Researcher Lands $20,000 For Finding Glaring Facebook Flaw

A serious flaw in Facebook that could have allowed widespread account hijacking has been uncovered by a UK researcher, who has been rewarded with $20,000.

The vulnerability, which has now been fixed, was a particularly nasty one and easy to exploit. It allowed for a “full takeover of any Facebook account, with no user interaction”, researcher Jack Whitton, also known as fin1te, wrote in their blog.

Facebook vulnerability

The problem lay in how Facebook let users login to their accounts on a mobile using their number rather than their normal login details.

When Whitton texted Facebook with a simple “F” to get the verification code needed to get the mobile login feature, he was asked to enter that code into a form. But that form contained a flaw, which allowed him to change the profile_id parameter so he could link any user with his authorisation code, therefore opening accounts up for hijacking.

“To exploit this bug, we first send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. We receive an 8 character verification code back,” he explained in a blog post.

“We enter this code into the activation box (located here), and modify the profile_id element inside the fbMobileConfirmationForm form.”

Once Facebook sent back an SMS confirming the code had been linked to an account, Whitton realised he could initiate a password reset to hijack the target’s account.

“The bounty assigned to this bug was $20,000, clearly demonstrating the severity of the issue,” he added.

The news came just days after Facebook admitted another flaw had leaked around six million users’ contact information and an unconfirmed number of non-Facebook users.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago