Can you imagine that a single text message is enough to hack any Facebook account without user interaction or without using any other malicious stuff like Trojans, phishing, keylogger etc.? We are going to explain you that how a UK based Security Researcher, is able to hack any Facebook account within a minute by doing one SMS.
According to hacker "fin1te" , the loophole was in phone number linking process, or in technical terms, at file /ajax/settings/mobile/confirm_phone.php This particular webpage works in background when user submit his phone number and verification code, sent by Facebook to mobile. That submission form having two main parameters, one for verification code, and second is profile_id, which is the account to link the number to.
As attacker, follow these steps to execute hack:
1. Change value of profile_id to the Victim's profile_id value by tampering the parameters.
2. Send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. You will receive an 8 character verification code back.
3. Enter that code in the box or as confirmation_code parameter value and Submit the form.
Facebook will accept that confirmation code and attacker's mobile number will be linked to victim's Facebook profile. In next step hacker just need to go to Forgot password option and initiate the password reset request against of victim's account.
The above instructions are given in order to test accounts' vulnerability of your own.
Δεν υπάρχουν σχόλια:
Δημοσίευση σχολίου