fin1te, "an application security engineer by day, and a researcher by night," has described a simple bug "which will lead to a full takeover of any Facebook account, with no user interaction." Put simply, you send Facebook an SMS message, and Facebook lets you into the account of your choice via smartphone. Once there, of course, an attacker can simply send a password reset message and have the reset code sent to his mobile.
"We enter this code into the form, choose a new password, and we’re done. The account is ours," says fin1te.
The bug is – or was – within the /ajax/settings/mobile/confirm_phone.php end-point. fin1te reported the problem to Facebook on May 23rd, and Facebook acknowledged his report and fixed the flaw on May 28th – 5 days from report to fix; and well within even Google's new 7-day disclosure timeline.
The problem lay within the parameters accepted by confirm_phone.php. "This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to," explains fin1te.
The process would be to register the phone with the user's own account by texting 'F' to Facebook. Facebook sends back a confirmation code. Normally, the user would just enter the code to register the phone. But, "What fin1te had uncovered," explains security researcher Graham Cluley, "was that one of the elements of the mobile activation form contained, as a parameter, the user’s profile ID. That’s the unique number associated with your intended target’s account."
So, by altering the profile_id to that of any other Facebook user, adding the received confirmation code into the form, and sending it back to Facebook, the social giant allowed that smartphone to access the specified user account. Cluley points out that "If you don’t know what someone’s numeric profile ID is, you can always look it up using freely-available tools – they aren’t supposed to be a secret."
The good news, adds Cluley, "is that fin1te disclosed the vulnerability responsibly to Facebook, rather than exploited it for malicious intentions or sold it to other parties." The rider is, "Who knows what other serious security vulnerabilities may lay inside Facebook that haven’t been responsibly reported to the company’s security team?"