In the beginning of 2016, I posted about my resolutions for this year, about how I set this goal of being successful in the bug bounty programs of my self declared ‘big four’ : Apple, Microsoft, Google and Facebook.
I was successful in three of them (Google, Microsoft and Apple.) in less than 3 months, but kept struggling with Facebook for another 3 months.
It took however up to september for Facebook to actually confirm the bug.
Due to it not being of a very high severity. (But that can be put in perspective, I’ll explain this further in this post.)
So basically what I found was a very classic brute force.
Facebook offers this feature to link your mobile number to your Facebook account, and let you post stuff to your Facebook, and perform a couple other actions via a text message.
They added a feature to secure these text messages from being spoofed (*) by asking to put a 4 digit numerical secret pincode in the beginning of the text message.
So, such a message would look like:
Your very interesting and
important life update.
Wait a 4 digit secret pincode?
That rings a bell right?
Of course I started testing the rate limits on this feature right away and it turned out, there was none.
I could send 9999 messages in less than an hour to Facebook, and all of them would be accepted and validated.
Spoofing a text message out of the blue is very, very hard, if not just impossible.
But for me, as a bug bounty hunter, having an “it’s impossible to” mindset is simply a no go, so I started looking around for other ways to exploit this issue.
I am going to be honest, I personally, was not able to find a way to exploit this issue for every Facebook user in the world that has his mobile number linked to his account.
I did however find a way to exploit it in my country, Belgium, at least, a part of Belgium. I was able to get a copy of any sim card from a specific provider in Belgium. Out of respect, I’ll not disclose which provider since they have taken HUGE actions to make this impossible.
Well what I did was just prove that humans are the weakest link in the circle of cyber security.
I simply walked in at a help center of that provider, told them my sim card was broken and I was in need for a new one.
They said it was no problem and asked my number, I gave a friends number and without checking my identity and stuff or even writing my identity down, I got the sim card.
There I am, able to ‘spoof’ text messages of my friend and, therefore, carry out the attack explained above.
But hey Kieran, what if the guy that activates the new sim card is the attacker?!
If an attacker works at a provider, and is able to activate sim cards, he is able to carry out this attack for every client of the provider that has their mobile number linked to their Facebook account.
This puts things in perspective right? 🙂
Facebook agreed with my opinions, and decided to tighten up the rate limits of this feature.
As a thanks I will receive a spot on their ‘hackers wall of fame’, and got a bounty paid out by them.
I thought a lot about ways to exploit this so it affected a broader public.
If you can think about a certain way to exploit this in a mass, leave a comment!
I would love to hear about it.
- June 11 2016 : Bug submitted to Facebook
- June 12 2016 : More information was asked, including a working POC
- September 20 2016 : Bounty paid by Facebook
Facebook offers a feature to perform a couple actions on your account with a text message, like updating your status or adding a friend.
I was able to brute force the secret pincode that you have to send with the SMS.
(*) spoofing: impersonating the identity of someone/something.
In this scenario: being able to send a message from the same number as your target.