Facebook is home to millions of active users who log in and share their moments with their loved ones on a daily basis. Most of today’s communication has been taken over by social platforms and applications, and Facebook is at the top of the bunch.
The real attraction behind Facebook is that it is a multi-faceted platform. Users can not only message one another for free, but also share their status, check-in to different places to let people know where they are, reach out to new friends, promote their business or brand, share photos and videos, and do much more.
Privacy at Risk
Keeping that in mind, one can imagine how vulnerable one’s identity and privacy can be if someone could only hack into their Facebook profile. The perpetrator would have access to everything the target shares on Facebook. This may include personal messages, close friends, their whereabouts, the user’s own location and daily routine, and more.
This is why it is so crucial for platforms like Facebook to have top notch security and privacy features, but it seems like they keep dropping the ball. A recent loophole in Facebook’s code, discovered by a researcher who calls himself fin1te, has shown how flawed the website’s security really is.
Exploiting Facebook’s Loophole
fin1te discovered that it was fairly easy to hack into someone’s Facebook profile through Facebook’s mobile services. What you could basically do is link your mobile phone with someone else’s profile, while making Facebook think that it’s yours. This was a serious security flaw, where Facebook could essentially be fooled very easily.
The process with which fin1te achieved this feat goes something like this:
- The first step was to send the letter F to Facebook through an SMS message – this is the way to register your mobile device with your profile.
- When Facebook responded with a confirmation code, fin1te discovered the loophole in the online form where one is supposed to enter this code in order to successfully link the device.
- While looking at the form’s coding, he found out that one of the parameters in it was the user’s Facebook profile ID, which is a unique number that is given to each user. fin1te thought that he could simply replace his own ID with someone else’s in the code, and Facebook would be fooled into thinking that fin1te was someone else. That is exactly what happened.
While you may be thinking that getting someone’s unique ID is not easy, you’d be surprised to find out that these numeric IDs aren’t supposed to be secret. This means that you could virtually access anyone’s Facebook’s profile by linking your own personal mobile phone with it.
In order to completely hack someone’s profile, you could easily set up logging in to the victim’s profile with your linked mobile number rather than an email address. Now you would be wondering how does one get the password to the victim’s account. That is pretty straightforward too, as you can simply ask Facebook to reset the password via the newly linked mobile phone that you own.
Good Thing fin1te wasn’t a Criminal
While all of this is scary news, it’s a good thing that fin1te wasn’t looking to make money out of his discovery. He could’ve hacked many important Facebook profiles and used them for his own good, or simply sold the process to cybercriminals for hefty amounts of money. Instead, he responsibly made Facebook aware of the problem with their security so that no one could get hurt. As a result, Facebook paid him $20,000, and fixed the flaw.
Now that this problem is fixed, we can all rest easy. But platforms like Facebook may have more loopholes that can compromise one’s privacy. It’s always best to avoid making such platforms your virtual reality, and one should simply not share too much publicly. The phrase ‘prevention is better than cure’ fits very squarely in situations like this.