Facebook pays a $20,000 bug bounty for an account hijacking flaw

Social network fixes the SMS account vulnerability

by Alastair Stevenson , courtesy Fri Jun 28 , 2013

SOCIAL NETWORK Facebook has fixed a critical flaw that left users’ accounts open to hacking attacks, shelling out a huge $20,000 bounty to the bug hunter who found the vulnerability.

The bug was discovered by UK based security researcher and bug hunter Jack Whitten. He said that the flaw was related to the way Facebook managed updates to mobile devices via SMS.

“Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can log in using the number rather than your email address. The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to,” Whitten explained.

Whitten said that the flaw could potentially have been used by criminals to hijack control of unwary users’ Facebook accounts. “The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error. To exploit this bug, we first send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. We receive an eight-character verification code back. We enter this code into the activation box, and modify the profile_id element inside the fbMobileConfirmationForm form,” he wrote.

“Now we can initate a password reset request against the user and get the code via SMS. Another SMS is received with the reset code. We enter this code into the form, choose a new password, and we’re done. The account is ours.”

A Facebook spokesman told The INQUIRER that it has since fixed the flaw, changing the code so its systems no longer accept the profile_id parameter listed in Whitten’s report.

The spokesman went on to thank Whitten for his help in uncovering the exploit, listing it as a key victory in Facebook’s ongoing bug bounty programme. “Facebook’s White Hat programme is designed to catch and eradicate bugs before they cause problems. Once again, the system worked and we thank Jack for his contribution,” the Facebook spokesman said.

He added that the flaw could never have been automatically exploited, meaning its impact, even if targeted by hackers, would have been limited. Despite that comment, other bug hunters have attacked Facebook, claiming that it drastically under-rewarded Whitten. Commentator Mohammad Husain wrote on his blog, “This is worth more than $20,000,” while fellow blogger Shadôw Hawk added, “This issue is worthy [of a] million dollars.”

Bug bounties are an increasingly common tactic used by information technology companies to spot flaws in their systems, with big name firms like Google having established reward programmes.

Most recently, security aggregator PacketStorm launched its own bug bounty programme, offering bug hunters as much as $7,000 for uncovering working exploits. µ

Thank you, TiA

Related articles


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


This entry was posted on June 30, 2013 by in SOFTWARE and tagged , , , , , , , .

Top Posts & Pages


Enter your email address to follow this blog and receive notifications of new posts by email.


%d bloggers like this: