Monday, July 1, 2013

Facebook Fixes SMS-Based Account Hijacking Vulnerability

A UK security researcher has disclosed a bug in Facebook's code that allowed him to take over any Facebook account in less than a minute - and earned himself a $20,000 bug bounty in the process. fin1te, a security engineer has described a simple bug "which will lead to a full takeover of any Facebook account, with no user interaction." Put simply, you send Facebook an SMS message, and Facebook lets you into the account of your choice via smartphone. Once there, of course, an attacker can simply send a password reset message and have the reset code sent to his mobile. <more>

No comments: