A security researcher claims to have discovered a security hole, or exploit, in Facebook that lets anyone hijack an account via SMS text message. Fin1te, a researcher based in the United Kingdom, posted the details on a Tumblr blog. A Facebook flaw in a PHP file used to handle mobile phone logins is responsible for the security hole.
The exploit, which has been corrected, allows potential hackers to engage in multiple steps to trick Facebook into giving them a password reset code for any user account. All the potential hacker needs is a target’s User ID number, which can be obtained in seconds by browsing Facebook.com.
Fin1te also received financial compensation–roughly $20,000–for finding this bug. Fast Company has previously reported on the booming exploit marketplace, where tech companies, organized crime groups, intelligence agencies, and foreign military entities offer monetary compensation for people who can find security holes in software and digital services.