Security researcher fin1te was able to find a way to gain access to any Facebook account by sending only one SMS. This is how secure you are, one SMS away from someone to hack into your account. Facebook, like many other websites, have added a new layer of protection. They added the phone number and you can use it to verify an access to your account or recover a lost password. In every new feature there are few vulnerabilities. For this process you fill a form and you submit it to their servers for processing. The two main parameters of that form are for the verification code and the user id. If you edit this form, replace your id with the victim’s id and put the verification code Facebook sent you, your number will be linked with that account. From now you can figure it out, you can visit the forgot password page and access the victim’s account.
Fin1te already reported the security hole to Facebook and they paid $20.000 as bug bounty. Facebook fixed it and they don’t accept the user id as a parameter to that form. We are waiting to see the next vulnerability that will make it that easy for the hackers to gain access to our accounts. And those are the ones we learn about and see them published, there are so many more unknown to us. Don’t believe that any account in any website or web email is safe because it is not. Be very careful of what you have, send or say online, this is the only way to make sure that when hackers will gain access to your account to find nothing that it is too sensitive or too personal.