Can you imagine that one SMS is enough to hack a Facebook account ? No need to use hacking tools such as Trojans, phishing or Keyloggers . With a simple text message you can hack a Facebook account.
'm going to explain how a British security researcher " fin1te " was able to hack a Facebook account in a minute by sending a simple SMS.
As you know, there is an option to link your phone number to your Facebook account. This allows you to receive updates from your Facebook account via SMS. You can also sign in to your account using this number instead of your email address.
According to the researcher, the flaw was related to the phone number binding process or technically to the /ajax/settings/mobile/confirm_phone.php file .
This webpage allows a user to submit his phone number and verification code, sent by Facebook.
This form has two main parameters, one for the verification code and the other profile_id, which is the account with which the number is associated.
How to hack Facebook account with a text message?
Here are the steps to perform Facebook hacking with SMS :
- In the source code of the confirm_phone.php page , change the value of profile_id to the victim's profile_id value.
- Send the letter F to the number 5100, which is the Facebook SMS shortcode in France. You will receive a verification code of 8 characters.
- Enter this code in the value of the confirm_code parameter and submit the form.
- At this stage, Facebook will link the attacker's phone number to the victim's Facebook profile.
- Finally to take full control of the victim's Facebook account , the hacker simply needs to go to the Forgotten Password option and start the password reset request.
Facebook no longer accepts the user's profile_id parameter and the developer team has fixed this major flaw. In return, Facebook paid US $ 20,000 to the researcher "fin1te" in the form of Bug Bounty.