Hacking a Facebook account with just an SMS

Can you imagine that a only SMS is enough to hack a Facebook account ? No need to use hacking tools such as Trojans, phishing or Keylogger. With a simple text message you can hack a Facebook account.

Here I will tell you how a British security researcher, “ fin1te " could hack facebook account in a minute by sending a simple SMS.

As you know, there is an option to link your phone number to your Facebook account. This allows you to receive updates from your Facebook account via SMS. You can also sign in to your account using this number instead of your email address.

According to the researcher, the flaw was related to the phone number binding process or, technically, to the file /ajax/settings/mobile/confirm_phone.php.

This web page allows a user to submit their phone number and verification code, sent by Facebook.

This form has two main parameters, one for the verification code and the other profile_id, which is the account the number is associated with.

How to hack Facebook account with a text message?

Here are steps to perform facebook hack with sms:

  • In the source code of the page confirm_phone.php, replace the profile_id value with the victim's profile_id value.
  • Send the letter F to the number 5100, which is the Facebook SMS shortcode in France. You will receive an 8 character verification code.
  • Enter this code in the confirmation_code parameter value and submit the form.
  • At this stage, Facebook will link the attacker's phone number to the victim's Facebook profile.
  • Finally for take full control of the Facebook account of the victim, the hacker simply has to go to the Forgot password option and launch the password reset request.

Facebook no longer accepts the user's profile_id parameter and the developer team has fixed this major flaw. In return, Facebook paid US$20 to the researcher “fin000te” in the form of a Bug Bounty.