UK-based security researcher Jack Whitten disclosed details of a vulnerability in Facebook which allowed a malicious user to take over arbitrary user accounts.
“The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to,” the researcher writes.
Facebook allows the registration code sent to the attacker to be used to access the victim's account – meaning that the victim's account is then linked to the attacker's phone. Whitten then requested a password reset on the target account, received the changed password form, and took over the account.
He took part in Facebook bug bounty program and received a $20,000 award. Facebook was able to fix the flaw within 5 days by not accepting the profile_id parameter.
