The first thing to do is send the letter “F” in an SMS message to Facebook, as though you were legitimately registering your mobile phone with the social network. In the UK, the SMS shortcode for Facebook is 32665.
Facebook responds, via SMS, with an eight character confirmation code.
The normal sequence of events would be to enter that confirmation code into a Facebook form, and go on your merry way…
But fin1te discovered that a vulnerability existed on that form, that could be exploited to use the confirmation code he had been sent by Facebook via SMS with *anyone* else’s account.
What fin1te had uncovered was that one of the elements of the mobile activation form contained, as a parameter, the user’s profile ID. That’s the unique number associated with your intended target’s account.
Change the profile ID that is sent by that form to Facebook, and the social network might be duped into thinking you are someone else linking a mobile phone to their account.
Therefore, the first step needed to hijack someone’s account in this way requires your victim’s unique Facebook profile ID.
If you don’t know what someone’s numeric profile ID is, you can always look it up usingfreely-available tools – they aren’t supposed to be a secret.
Sure enough, fin1te was able to replace the profile ID parameter sent by his browser to Facebook with the unique number of the account he wanted to access…
.. and within seconds his his mobile phone was sent an SMS confirming that he had successfully connected the device to the account.