HIJACKING A FACEBOOK ACCOUNT WITH SMS

HIJACKING A FACEBOOK ACCOUNT WITH SMS.

This post will demonstrate a simple bug which will lead to a full takeover of any Facebook account, with no user interaction. Enjoy.

Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can login using the number rather than your email address.

The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, andprofile_id, which is the account to link the number to.

The thing is, profile_id is set to your account (obviously), but changing it to your target’s doesn’t trigger an error.

To exploit this bug, we first send the letter F to 32665, which is Facebook’s SMS shortcode in the UK. We receive an 8 character verification code back.

We enter this code into the activation box (located here), and modify the profile_id element inside thefbMobileConfirmationForm form.

Submitting the request returns a 200. You can see the value of __user (which is sent with all AJAX requests) is different from the profile_id we modified.

Note: You may have to reauth after submitting the request, but the password required is yours, not the targets.

An SMS is then received with confirmation.

Now we can initate a password reset request against the user and get the code via SMS.

Another SMS is received with the reset code.

We enter this code into the form, choose a new password, and we’re done. The account is ours.

Fix

Facebook responded by no longer accepting the profile_id parameter from the user.

Timeline

23rd May 2013 - Reported
28th May 2013 - Acknowledgment of Report
28th May 2013 - Issue Fixed

Note

The bounty assigned to this bug was $20,000, clearly demonstrating the severity of the issue.

Attackers sign malware using crypto certificate stolen from Opera Software

A "few thousand" users may have automatically installed malware signed by expired cert.

Alan Cleaver

Hackers penetrated network servers belonging to Opera Software, stole at least one digital certificate, and then used it to distribute malware that incorrectly appeared to be published by the browser maker.

The attack was uncovered, halted, and contained on June 19, according to a short advisory that Opera published Wednesday morning. While administrators have cleaned the system and have yet to find any evidence of any user data being compromised, the breach still had some troubling consequences.

"The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware," Wednesday's advisory stated. "This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software or appears to be the Opera browser. It is possible that a few thousand Windows users, who were using Opera between June 19 from 1.00 and 1.36 UTC, may automatically have received and installed the malicious software."

Opera's advisory leaves out key information that makes it hard to assess just how much damage was done. Missing details include when the attackers first gained access to the servers, precisely when the stolen digital certificate expired, and whether there's reason to believe other certificates may also have been obtained. It would also be useful to know how hackers got access to an official Opera digital certificate, which is supposed to cryptographically prove that the software that bears its seal could only have come from the company. As Ars reported last year, companies such as Symantec go to great lengths to secure such keys, although Opera is hardly alone in losing control of such a valuable certificate.

The advisory also provides few details about the malware that was signed with Opera's official digital imprimatur, other than to link to this VirusTotal analysis. The Opera post urged users to "update to the latest version of Opera as soon as it is available, keep computer software up to date, and to use a reputable antivirus product on their computer."

Opera representatives declined to provide additional details, citing a continuing investigation into the breach. At some point soon, though, officials should provide a more thorough account of what happened, who was affected, and what steps have been taken to prevent similar attacks from succeeding in the future.