Tuesday, July 2, 2013

Low on money? Know how to hack? Get on over to Facebook to "research" (a.k.a. hack).

Facebook has paid a $20,000 reward to a UK based security researcher for reporting a bug that hackers could've used to take over users' accounts. 

Last month, UK security researcher Jack Whitton found a way to hack into other users' Facebook accounts without their knowledge, simply by sending a text message to Facebook. 

The flaw, which Facebook has fixed, was in a Facebook service that lets users link their mobile phones with their accounts. This lets them log into Facebook using their phone number instead of their email address, and send profile updates via text message.

To activate this feature, a user sends a text message to Facebook, which texts back an authorization code. This code is what ties the user's device to their account. 

But Whitton found that Facebook's authorization code could be tweaked to work with other users accounts as well. This means a hacker could just change the password and gain complete control over the account.

Graham Cluely, an independent security analyst, says the bug could have had a widespread impact on Facebook users.

"This should – obviously – have been impossible, but due to a weakness in Facebook’s tangled nest of millions and millions of lines in code, potentially hundreds of millions of accounts were vulnerable to hijacking through the simple technique," Cluely said in a Friday blog post.

Whitton informed Facebook about the flaw May 23, and Facebook fixed it five days later. Facebook gave Whitton a shout-out on its list of "white hats," the term for researchers who find bugs and inform vendors instead of using them for financial gain.

Source:  Business Insider

No comments:

Post a Comment