back to article Facebook users pwnd by phone with account recovery vulnerability

Facebook account recovery using pre-registered mobile numbers is poorly implemented and open to abuse, according to critic James Martindale. Martindale wrote an article on Medium, titled I kinda hacked a few Facebook accounts using a vulnerability they won't fix, highlighting his concerns in a bid to push the social network …

Silver badge
WTF?

Just incredible that the security of one of the most used systems in the world is so lax.

Also interesting to note that people regularly change their mobile numbers when they change phone / carrier. I've had the same number in the UK for about 17 years, but it's on the 5th new phone and 4th carrier in that time. Does no other country port numbers easily? (or is it an outside Europe thing?)

3
1

I kept mine in Holland as much as possible (I only changed once in 17 years as the company took over my contract and then went bankrupt - the phone company would only let me keep my number - with them, converting it to a private account again - if I paid my employers debt to them), and in the UK always kept the same number.

But out of the people I know in both countries, I am in the minority. It seems (note: personal anecdotal evidence only :) ) many people think that it costs money or is somehow unsafe to keep the same number...

0
0
Silver badge

Me to, had the same number for 16 years, first on One2One and then Cellnet, then Orange (and then EE).

0
0
Silver badge

I'd guess a fair percentage may actually have had changing their number as the reason to switch in the first place. Especially if the original had ended up on the various telemarketing cold-call databases that are used to spam us these days (PPI anyone?).

2
0
Silver badge

Wife and I have the same number after numerous phone and carrier changes. We're in the States. I guess I'm wondering why others change numbers?

0
0
Silver badge

Incredible?

Why do you find that incredible? They aren't protecting health or banking info, they're protecting a bunch of vacation pictures and 10 year old posts from three girlfriends ago. It is more important to have it be easy to use than to be secure. They offer multiple methods of 2FA for those who are concerned about security.

0
0
Anonymous Coward

Re: Incredible?

Their 2FA options require either a cell phone (to receive SMS), a physical U2F key, or a cell phone with NFC. Most users aren't going to buy the key, and a lot of phones don't have NFC. So while they offer "multiple methods", most users can't turn off SMS-based login.

0
0

Nothing like good security!

I'm so glad I never succumbed to adding my phone number for extra security (allegedly).

9
0
Silver badge

Let's be honest here

These types want phone numbers for marketing and perhaps surveillance, and any security "benefit" the user receives is mostly incidental to that.

10
0

As my dear old mother used to say...

"Facebook said its practices mirrored those of other online services"

I suppose that if Tommy jumped off a cliff.....

6
0
Silver badge

"Many of my less tech-savvy friends never remove phone numbers, they just keep adding their new number when they switch carriers or move,"

Why the hell would you not take your previous number with you? Unless you're a serial spouse-cheater-onner , or some kind of criminal?

1
5
Silver badge
Headmaster

Cold caller spam?

Are you sure you've never been mis-sold PPI or been in an accident recently?

1
0
Silver badge

"Cold caller spam?"

And you can be sure that the previous owner of your new number didn't spaff that number all over the place?

My company mobile number of 10 years was used by a previous employee who also used it for his own business. It was quite literally *years* before calls for him from his clients finally stopped.

0
0
Silver badge

" I don't know of a single website other than Facebook that lets me recover an account with a phone number, and then not change the password."

Try Yahoo mail

2
0

Haha, I learned something new today. Thanks!

0
0
Silver badge

So hows this "hack" work exactly ?

So hows this work? ... A determind scammer with a good scam up his sleave , just needs to access someones (anyones) facebook account to kick it off. Does he buy a load of phones hoping that one of the numbers he gets will have been used on facebook?

How does he know which account he has the phone for? Oh , im guessing facebook told the guy in their "come back!" text ?

Or can you just go on the site and click on "I forgot my Username but my phone number is..."

I can see theres some holes there but a ner-do-well would heve to get lucky... (which , yes i know , is not a valid security policy)

0
0

Re: So hows this "hack" work exactly ?

If a scammer were to run this as an actual operation, they'd probably use some phone API like Twilio, which will dramatically reduce their costs. Then they would just request a new number, attempt to log into Facebook, and if the login is successful, take it over, rinse and repeat.

While the "come back! text" tipped me off that this was possible, it's not necessary to know if an account exists that that given phone number.

You are correct that there is an element of luck involved. But I stumbled across enough accounts in a row that I'm wondering if I'm either incredibly lucky, or there's a lot of accounts up for grabs.

1
0

isn't this really just a rehash of the recycled email address from your ISP problem?

0
0

Aah, that probably explains why I was woken up at 0610 the other day by a Facebook SMS asking me to validate my Facebook account. I've never had a Facebook account and never will.

2
0
Silver badge
Trollface

No, but with a little effort you could have someone elses instead...

6
0
Anonymous Coward

Want Facebook 2FA? SMS or physical key required

Looks like you can't use "just" an authenticator app for 2FA on Facebook - either a cellphone (which will receive a code via SMS allowing login *without* the authenticator code) or a physical key is required. And even if you still have that phone number, SMS messages aren't remotely secure. https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

1
0
Silver badge
Unhappy

He's lucky if F-Bitch doesn't have him arrested

I wouldn't be surprised in the LEAST if FaceBitch's reaction to the exploit discover is to HAVE THE GREY-HAT HACKER ARRESTED!

After all, he ALTERED account parameters [by removing the phone number] !!!

I'm sure some DRM or obscure law could be used to PUNISH! THAT! GUY! with the full force of THE! LAW!!!

[it's the kind of "logic" Face-Bitch WOULD have. yeah]

0
4
Silver badge

Re: He's lucky if F-Bitch doesn't have him arrested

Bob! Take your meds at once!

3
0
Silver badge
Megaphone

Facebook

Your security is just as important to us as your privacy.

4
0
Megaphone

It takes two to tango

Yep. This is lousy security, but it is on the users as well as Facebook. Even if FB forced a PW change, that won't stop crackers from getting in. It might warn the user that something is going on or it might not. Either way, it reminds be about a saying about horses and barn doors. Users should also be held responsible for not keeping contract info up to date.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017