Get way to hack facebook account
How to Hack Facebook Account.
Posted By Tony Bravo 11 April 2015
This should - obviously - have been impossible, but due to a weakness in Facebook's tangled nest of millions and millions of lines in code, potentially hundreds of millions of accounts were vulnerable to hijacking through the simple technique.
Fin1te (real name Jack) has documented how the hack works on his blog.
The first thing to do is send the letter "F" in an SMS message to Facebook, as though you were legitimately registering your mobile phone with the social network. In the UK, the SMS short code for Facebook is 32665.
Send an SMS to Facebook
Facebook responds, via S.M.S, with an eight character confirmation code.
The normal sequence of events would be to enter that confirmation code into a Facebook form, and go on your merry way...
Facebook mobile activation form
But fin1te discovered that a vulnerability existed on that form, that could be exploited to use the confirmation code he had been sent by Facebook via SMS with *anyone* else's account.
What fin1te had uncovered was that one of the elements of the mobile activation form contained, as a parameter, the user's profile ID. That's the unique number associated with your intended target's account.
Profile ID parameter inside form
Change the profile ID that is sent by that form to Facebook, and the social network might be duped into thinking you are someone else linking a mobile phone to their account.
Therefore, the first step needed to hijack someone's account in this way requires your victim's unique Facebook profile ID.
If you don't know what someone's numeric profile ID is, you can always look it up using freely-available tools - they aren't supposed to be a secret.
Find a Facebook profile ID
Sure enough, fin1te was able to replace the profile ID parameter sent by his browser to Facebook with the unique number of the account he wanted to access...
Facebook hack data
.. and within seconds his his mobile phone was sent an SMS confirming that he had successfully connected the device to the account.
Facebook confirmation SMS
Success. A Facebook account now has a third-party's mobile phone number associated with it. Without any need for malware or phishing. All that was done was to send an SMS text message.
The final stage of the account hijacking is straightforward. Facebook allows you to log into its system using your mobile number rather than an email address if you want, so at login you enter the mobile phone number you have associated with your victim's account, and request a password reset via SMS.
Facebook password reset code
Sure enough, fin1te discovered that Facebook duly sent him the password reset code for the account - meaning he could change the account's password, and lock out its legitimate user.
This is an incredibly simple but powerful way to take over anybody's Facebook account.
The good news is that fin1te disclosed the vulnerability responsibly to Facebook, rather than exploited it for malicious intentions or sold it to other parties. Facebook has fixed the problem so others can no longer take advantage of this serious security hole. For his troubles, Facebook awarded fin1te a hefty $20,000 worth of bug bounty and fixed the vulnerability.
But there's no doubt that on the underground market, perhaps sold to cybercriminals or intelligence agencies, fin1te's discovery could have earned him even more money.
Posted By Tony Bravo 11 April 2015
This should - obviously - have been impossible, but due to a weakness in Facebook's tangled nest of millions and millions of lines in code, potentially hundreds of millions of accounts were vulnerable to hijacking through the simple technique.
Fin1te (real name Jack) has documented how the hack works on his blog.
The first thing to do is send the letter "F" in an SMS message to Facebook, as though you were legitimately registering your mobile phone with the social network. In the UK, the SMS short code for Facebook is 32665.
Send an SMS to Facebook
Facebook responds, via S.M.S, with an eight character confirmation code.
The normal sequence of events would be to enter that confirmation code into a Facebook form, and go on your merry way...
Facebook mobile activation form
But fin1te discovered that a vulnerability existed on that form, that could be exploited to use the confirmation code he had been sent by Facebook via SMS with *anyone* else's account.
What fin1te had uncovered was that one of the elements of the mobile activation form contained, as a parameter, the user's profile ID. That's the unique number associated with your intended target's account.
Profile ID parameter inside form
Change the profile ID that is sent by that form to Facebook, and the social network might be duped into thinking you are someone else linking a mobile phone to their account.
Therefore, the first step needed to hijack someone's account in this way requires your victim's unique Facebook profile ID.
If you don't know what someone's numeric profile ID is, you can always look it up using freely-available tools - they aren't supposed to be a secret.
Find a Facebook profile ID
Sure enough, fin1te was able to replace the profile ID parameter sent by his browser to Facebook with the unique number of the account he wanted to access...
Facebook hack data
.. and within seconds his his mobile phone was sent an SMS confirming that he had successfully connected the device to the account.
Facebook confirmation SMS
Success. A Facebook account now has a third-party's mobile phone number associated with it. Without any need for malware or phishing. All that was done was to send an SMS text message.
The final stage of the account hijacking is straightforward. Facebook allows you to log into its system using your mobile number rather than an email address if you want, so at login you enter the mobile phone number you have associated with your victim's account, and request a password reset via SMS.
Facebook password reset code
Sure enough, fin1te discovered that Facebook duly sent him the password reset code for the account - meaning he could change the account's password, and lock out its legitimate user.
This is an incredibly simple but powerful way to take over anybody's Facebook account.
The good news is that fin1te disclosed the vulnerability responsibly to Facebook, rather than exploited it for malicious intentions or sold it to other parties. Facebook has fixed the problem so others can no longer take advantage of this serious security hole. For his troubles, Facebook awarded fin1te a hefty $20,000 worth of bug bounty and fixed the vulnerability.
But there's no doubt that on the underground market, perhaps sold to cybercriminals or intelligence agencies, fin1te's discovery could have earned him even more money.
TheTruthSpy
lets you view all the Facebook chat conversations that take place
through the target phone. With TheTruthSpy Facebook spying software you
can:
- View all Facebook chat conversations.
- Find out the names of people they have been chatting with.
- Get time and date stamps to know when each chat took place.
- Get access to any photos, videos or audio files sent through Facebook chat and saved on the target phone.
- All Facebook chat conversations are uploaded to your online TheTruthSpy control panel which you can access from anywhere with an internet connection.
TheTruthSpy
lets you view all the Facebook chat conversations that take place
through the target phone. With TheTruthSpy Facebook spying software you
can:
- View all Facebook chat conversations.
- Find out the names of people they have been chatting with.
- Get time and date stamps to know when each chat took place.
- Get access to any photos, videos or audio files sent through Facebook chat and saved on the target phone.
- All Facebook chat conversations are uploaded to your online TheTruthSpy control panel which you can access from anywhere with an internet connection.
TheTruthSpy
lets you view all the Facebook chat conversations that take place
through the target phone. With TheTruthSpy Facebook spying software you
can:
- View all Facebook chat conversations.
- Find out the names of people they have been chatting with.
- Get time and date stamps to know when each chat took place.
- Get access to any photos, videos or audio files sent through Facebook chat and saved on the target phone.
- All Facebook chat conversations are uploaded to your online TheTruthSpy control panel which you can access from anywhere with an internet connection.