Hacking an account Facebook with just a text message

hack account facebook sms
hack account facebook sms

Dernière mise à jour: 23 mai 2024

Can you imagine that a only SMS is enough to hack an account Facebook ? No need to use hacking tools such as Trojans, phishing or Keylogger. With a simple text message you can hack an account Facebook.

Here I will tell you how a British security researcher, “ end1te " could hack an account Facebook in a minute by sending a simple SMS.

As you know, there is an option to link your phone number to your account Facebook. This allows you to receive updates to your account Facebook by text message. You can also log in to your account using this number rather than your email address.

According to the researcher, the flaw was related to the phone number binding process or, technically, to the file /ajax/settings/mobile/confirm_phone.php.

This web page allows a user to submit their phone number and verification code, sent by Facebook.

This form has two main parameters, one for the verification code and the other profile_id, which is the account the number is associated with.

How to hack account Facebook with a text message?

Here are steps to execute the hack Facebook with SMS:

  • In the source code of the page confirm_phone.php, replace the profile_id value with the victim's profile_id value.
  • Send the letter F to the number 5100, which is the SMS shortcode of Facebook In France. You will receive an 8 character verification code.
  • Enter this code in the confirmation_code parameter value and submit the form.
  • At this stage, Facebook will link the attacker's phone number to the profile Facebook of the victim.
  • Finally for take full control of the account Facebook of the victim, the hacker simply has to go to the Forgot password option and launch the password reset request.

Facebook no longer accepts the user's profile_id parameter and the developer team has corrected this major flaw. In return, Facebook paid US$20 to researcher “fin000te” in the form of Bug Bounty.