Facebook account recovery security vulnerability discovered
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
July 17, 2017
We learned today that Facebook's account recovery feature that uses a pre-registered mobile number is poorly implemented and open to abuse and to hackers.
According to James Martindale that wrote an article on critic website Medium, titled 'I kinda hacked a few Facebook account using a security vulnerability they won't fix' the article highlights his numerous concerns in a bid to force the social network into improving its system to make is safer for its users.
For example, older phone numbers no longer owned by a user but that are still tied to their account can be assigned by a wireless carrier to another person.
If the number in question is still linked to a Facebook account, the new owner can subsequently log into the Facebook account without the password and either change it or leave it as is so that someone doesn't know a breach has occurred.
The security issue cannot target specific accounts but might be used to hijack an account before running various scams against the account holder's friends and contacts.
Facebook said today that its practices mirrored those of other online services, adding that it already pushes similar alerts in cases where it detects suspicious password recovery attempts.
Several online services allow for users to get phone numbers to recover their accounts. We encourage people to only list current phone numbers, and if we detect the password recovery attempt as "suspicious" we may prompt the user for more data.
Martindale asserted that Facebook was missing the point, adding that "several online services" also having account recovery features via phone numbers isn't a very good defence.
What you need to consider is that Facebook is very different from these other services because it allows users to have multiple mobile phone numbers. Martindale stumbled on the security issue when his wireless carrier assigned him a number previously linked to another Facebook user.
He received a reminder text from Facebook and discovered that the associated account had five other phone numbers linked to it. "Many of my less tech-savvy friends never remove phone numbers, they just keep adding their new number when they switch carriers or move," Martindale noted.
"I probably never would've stumbled across this exploit if it weren't for Facebook sending re-engagement SMS messages to the phone number I inherited from another user," he asserted. "I understand sending a few texts to remind an inactive user of what they're missing out on, but after a while shouldn't Facebook decide they're just not interested? These text alerts make it incredibly easy to discover when a phone number is attached to a Facebook account, other than searching Facebook for the phone number."
"When I started this experiment, I decided I would get to the point where Facebook forces a password reset, and then stop," Martindale explained. "Facebook surprised me by letting me log in without changing anything. I don't know of a single website other than Facebook that lets me recover an account with a phone number, and then not change the password."
Martindale told us he was glad to hear that Facebook has some sort of system to detect suspicious logins while arguing it needed it needed to be improved.
"Once I discovered this exploit, I developed a habit whenever I get a new number to log into the associated Facebook account (if it's still valid) to see if the exploit still exists and to remove the phone number from the account," he said.
"Never once have I been 'prompted for more information'. It's now very clear to me that Facebook's suspicious login detection system needs some major improvement," he warned users.
"Additionally, as well as improving detection of suspicious recovery attempts, Facebook should also apply various changes so that a user can't retrieve an account using the same email address or phone number they used to log in. Google, Microsoft, and hundreds of other good online services make people use an alternate email address or phone number, and sometimes require the rest of the obfuscated number/email address in order to continue a recovery," Martindale argued.
"This alone would stop this exploit dead in its tracks," he said. "In addition, Facebook should apply a mandatory password reset every time users go through the account recovery process. Don't let people recover an account without forcing a password reset and sending a notification to every email address and phone number tied to the account," Martindale asserted Facebook users.
"The account owner must know when their password is changed so that they can know if somebody is getting into their account details without them knowing. When a user adds a new phone number to an account, Facebook should immediately ask them if they want to remove their old phone number," he added.
"If Facebook encourages users to only list current phone numbers this would be the best way to do just that," Martindale concluded. We'll keep you posted on this and other security news stories.
Source: James Martindale.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.