We all know that in most cases, Facebook users are required to submit their phone number while registering with the social network. This is how they can link their phone with the profile so that when a user forgets the password, they can prove his authenticity and receive a new password on their smartphone.
However, in case the user stops using the phone number linked to their Facebook profile and changes it to another one, there are chances that the previous number can be assigned to someone else. This is where the problem begins.
According to the research conducted by a computer programmer James Martindale, Facebook accounts can be easily hacked using your old phone number. Because if the new owner of your previous number performs password reset while attempting to logging in to Facebook, it is very much possible to gain full control of your account.
The account recovery system of Facebook is to be blamed for this mishap. When a user forgets his/her password, it becomes the responsibility of Facebook’s account recovery system to help the user access the account by sending an SMS message on their phone number containing a unique code. This code allows the user to regain access to the account and set a new password. So, when your old number is acquired by someone else, using the unique code the new owner of your previous phone number can hijack the Facebook account. It does not require any social engineering skills to perform the hack.
Martindale himself tried this trick by buying a new SIM and was surprised to receive a message from Facebook as soon as he inserted the SIM into his phone. He shared his findings in a blog post on Medium, where he wrote:
“I was curious. I knew Facebook by default lets people find your account with your phone number, so I typed the number into the search bar and see what came up.”
To receive the password recovery option, he typed in a password and then received a code on his newly bought phone number to login to the account. As per the analysis of Martindale, this trick is fairly simple, but its consequences are quite drastic since hackers can use Facebook accounts for spreading various kinds of scams or may sell the accounts on the black market. They can also blackmail the original user for money in exchange of profile.
This also poses a threat to other contacts of the hacked account as every friend of the user can be threatened, specifically extorted for money. Another startling revelation made by Martindale was that FreedomPop VoIP carrier that he uses allows him to modify his phone number by showing him a list of available number for just $5. All you have to do is to try all the numbers to log in to Facebook and once a match is found the hacker can hijack a Facebook account, explained Martindale.
What’s even more troubling is that Facebook, despite considering it a real threat, did not include this issue in its bug bounty program. “Facebook doesn’t have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them” is the excuse provided by their website.
However, the trick can only work if your account is still linked to your old phone number. If you keep on updating your contact details, your account will remain protected. To keep your account safe, you need to remove any old phone number(s) and email IDs from your account and also use two-step login authorization feature.
PS: Isn’t that common sense?