There are more reasons now for Facebook users to tighten up their security. A UK researcher claims to have discovered vulnerability that could allow hackers to easily hijack hundreds of millions of accounts via a simple technique.
Fin1te, a UK based researcher posted the details about this news on his Tumblr blog. He discovered a flaw in a PHP file, responsible for handling mobile phone logins. Almost all Facebook users have the knowledge of linking their Facebook account to their mobile. The feature in addition to linking your account, allows you to receive Facebook updates directly via sms on your mobile. Thus, you can login to your account using that number rather than entering password for your account, every time.
The vulnerability discovered in the PHP file allows the hacker to carry out simple multiple steps to execute his attack and trick Facebook into giving him a password reset code for any user account. All the potential hacker has to do is look and target a Facebook user’s User ID number, which can be obtained in no time by browsing Facebook.com.
Fin1te has received financial compensation of approximately $20,000 for discovering this security hole. Meanwhile, Facebook has fixed this bug by no longer accepting the “profile_id” parameter from the user.
