Sắc đẹp

*
*
A UK-based security researcher going by the name of “fin1te” has earned himself $20,000 after uncovering a way lớn haông xã into any tài khoản on Facebook, just by sending a thiết bị di động phone text message.

You watching: Sắc đẹp

This should – obviously – have sầu been impossible, but due to a weakness in Facebook’s tangled nest of millions and millions of lines in code, potentially hundreds of millions of accounts were vulnerable to lớn hijacking through the simple technique.

Fin1te (real name Jachồng Whitten) has documented how the hack works on his blog.

The first thing khổng lồ vị is skết thúc the letter “F” in an SMS message lớn Facebook, as though you were legitimately registering your di động phone with the social network. In the UK, the SMS shortcode for Facebook is 32665.

*
*

Facebook responds, via SMS, with an eight character confirmation code.

The normal sequence of events would be to enter that confirmation code into lớn a Facebook form, và go on your merry way…

*
*

But fin1te discovered that a vulnerability existed on that form, that could be exploited to use the confirmation code he had been sent by Facebook via SMS with *anyone* else’s trương mục.

What fin1te had uncovered was that one of the elements of the mobile activation form contained, as a parameter, the user’s profile ID. That’s the unique number associated with your intended target’s trương mục.

*
*

Change the profile ID that is sent by that size lớn Facebook, và the social network might be duped inlớn thinking you are someone else linking a điện thoại phone to lớn their trương mục.

Therefore, the first step needed khổng lồ hijack someone’s trương mục in this way requires your victim’s chất lượng Facebook protệp tin ID.

If you don’t know what someone’s numeric protệp tin ID is, you can always look it up using freely-available tools – they aren’t supposed khổng lồ be a secret.

*
*

Sure enough, fin1te was able to lớn replace the profile ID parameter sent by his browser to lớn Facebook with the chất lượng number of the account he wanted khổng lồ access…

*
*

.. and within seconds his his điện thoại phone was sent an SMS confirming that he had successfully connected the device to the account.

See more: Avast Premier License Key And Activation Code In 2020, Avast Premier Activation Code And License Key

*
*

Success. A Facebook account now has a third-party’s thiết bị di động phone number associated with it. Without any need for malware or phishing. All that was done was to lớn send an SMS text message.


*
*
Sign up to our newsletterSecurity news, advice, và tips.

The final stage of the tài khoản hijacking is straightforward. Facebook allows you to log inkhổng lồ its system using your Mobile number rather than an email address if you want, so at login you enter the Smartphone phone number you have sầu associated with your victim’s trương mục, and request a password rephối via SMS.

*
*

Sure enough, fin1te discovered that Facebook duly sent hlặng the password rephối code for the tài khoản – meaning he could change the account’s password, & lochồng out its legitimate user.

This is an incredibly simple but powerful way lớn take over anybody’s Facebook tài khoản.

The good news is that fin1te disclosed the vulnerability responsibly lớn Facebook, rather than exploited it for malicious intentions or sold it to lớn other parties. Facebook has fixed the problem so others can no longer take advantage of this serious security hole. For his troubles, Facebook awarded fin1te a hefty $đôi mươi,000 worth of bug bounty và fixed the vulnerability.

But there’s no doubt that on the underground market, perhaps sold to lớn cybercriminals or intelligence agencies, fin1te’s discovery could have earned him even more money.

Who knows what other serious security vulnerabilities may lay inside Facebook that haven’t been responsibly reported lớn the company’s security team?

If you’re thinking of leaving Facebook, why not listen to lớn this “Smashing Security” podcast we recorded:


Smashing Security #75: "Quitting Facebook"

Your browser does not tư vấn this audio element.https://aphid.fireside.fm/d/1437767933/dd3252a8-95c3-41f8-a8a0-9d5d2f9e0bc6/3e3e8a52-4c1e-45c7-8271-8c13eb312039.mp3Your browser does not support this audio element.

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSSMore episodes...

See more: Nkvs Tặng Giftcode Sinh Nhật 3 Năm, Mở Yến Tiệc Hào Hoa Thiết Đãi Game Thủ Việt


Found this article interesting? Follow Gramê man Cluley on Twitter to lớn read more of the exclusive content we post.


Chuyên mục: giftcode