I did this without ever knowing the person, touching their stuff, or being anywhere physically close to them. The issue here is how Facebook uses phone numbers.
See, Facebook lets you add phone numbers to your account, probably as a way of letting your friends know how they can contact you other than WhatsApp or Messenger or Snapchat or Hangouts or whatever.
But Facebook also lets you use phone numbers as recovery options, just like an email address. In fact, it encourages you to do so by getting in your face about it every once in a while.
Great, except Facebook never encourages you to keep your contact info up-to-date. This isn?t just an opportunity for a friend getting ticked off because you never replied to the text they sent to a phone number you no longer have. This can be game over for your account.
How I figured this out
I got a really photogenic phone number from a VoIP phone carrier called FreedomPop. I wanted to move this number to Google Voice. Unfortunately Google Voice can?t port in from landline numbers, and VoIP numbers are pretty much landline numbers. In order to pull this off, I signed up for a prepaid plan from T-Mobile. The plan was to port my number from FreedomPop to T-Mobile, and then from T-Mobile to Google Voice.
My T-Mobile SIM card arrived and I stuck it into my phone. While I looked over the activation instructions that came with the SIM card, I got two texts. The first is from somebody I don?t know, and the second is one of those texts Facebook sends out when you haven?t logged in for a while?except I hadn?t added this phone number to Facebook yet.
I was curious. I knew Facebook by default lets people find your account with your phone number, so I typed the number into the search bar to see what came up. A single account. I opened Facebook in an Incognito tab in Chrome, and attempted to sign in with the phone number as the username and a bogus password.
Of course it didn?t work. So I clicked on Forgot your password.
That?s the account I saw when I was searching. The recovery option with the completely visible [until I censored it] phone number was the one I entered. Facebook texts me a code, I enter it, and I?m logged in.
So there it was. I could change the password and lock this guy out of his account, just because he forgot to remove an old number. Or I could play nice and click Skip so that?d he?d never know I logged into his account.
Why this matters
Okay, I don?t need to explain to you that having your account hacked is less than ideal. But, as a friend told me, who cares? You can?t pick your target. It?s like picking up a house key on the street that can teleport you to its house and let you in. Great, except you can?t use that key to break into the house of say, your ex.
So, what are the chances of somebody randomly getting your old phone number and hacking your account?
The chances might be higher than you think.
Okay, so back to my dumb phone number porting story. This was all done using the phone number T-Mobile assigned to me when I activated the SIM card. After the port from FreedomPop went through, my T-Mobile number became the FreedomPop phone number, so I lost the old number and access to that guy?s Facebook account. My FreedomPop account now no longer had a phone number, so they asked me to pick a new one from a list. So I did.
This new number was also attached to a Facebook account.
Yep. I guess I?m a bit of a jerk for checking, but I checked and sure enough I was able to log into yet another Facebook account, yet again without a trace. That?s two accounts in a row, without me even trying. And because I keep buying new SIM cards and changing numbers all the time (for legitimate reasons, I promise!), I keep ending up with new Facebook accounts I can just log into. Not sure why I check, but I do.
Okay, so the likelihood of there being another person out there happening to check their new phone number to see if they can steal a Facebook account that happens to be yours is pretty low. But random curious people like me aren?t the people who hack accounts, hackers and scammers are. And believe me, there?s a lot of money to be made stealing accounts.
How I could make hundreds of dollars a day hijacking Facebook accounts if I wasn?t such a nice guy
My VoIP carrier FreedomPop lets me change my number whenever I want, as long as I pay $5 each time for the privilege. When I do, FreedomPop gives me a whole bunch of numbers to choose from:
All I have to do is try to log into Facebook in an Incognito tab using each one of these numbers. Once I find a phone number that matches an account, I just buy the number, wait for my phone to update its number, and then sign into Facebook using the method described earlier.
Once I have an account, there?s plenty of possibilities. People buy Facebook accounts on the black market all the time, and even in more public places like Reddit. Or I could message the account?s friends and ask for money, just like this scam that probably made thousands.
Of course, if the account is still actively used I might not want the person to know. That?s ok. All Facebook accounts have an integrated account for managing Facebook advertising, and I?ve seen these accounts (without the rest of the account) go for $50?100.
Another possibility is attaching a Facebook app (because seriously, who ever goes through and cleans them out) that will use my hijacked accounts to like pages and posts, comment, give fake reviews to businesses, etc., and all from accounts that look real because they are real, which will make them more valuable to people buying my services (if I offered them). Speaking of Facebook apps, remember all those websites and apps you log into with Facebook because you?re too lazy to make an account? Yep, those are now hackable too.
My point here: your Facebook account is a treasure trove worth a good chunk of money. I?m not an overly intelligent kid. Assuming that 214 million people use Facebook in the USA, only 1 out of every 100 people have an inactive phone number in their account (a figure I just made up), and each account sells for $50, you?re looking at a pool of $107 million dollars. And that?s just from selling the accounts. When you include the scam or botting potential of each account, that dollar value goes up even higher. I guarantee you that somebody out there has already smelled the money, figured this out, and is on the prowl chasing after accounts they can resell. At some point, one of those accounts is going to be yours if you have an outdated phone number on your account. So um yeah, fix that.
What you can do:
- Immediately remove old phone numbers and email addresses from all of your online accounts, including Facebook.
- Get alerts about unrecognized logins for Facebook.
- Hell, set up two-step authentication, since why should anybody be able to log into your account with just one thing?
- Ditch the trashcan fire that is Facebook and move to a good social network like Mastodon.
Facebook won?t fix this?
Yeah, I submitted a report to https://www.facebook.com/whitehat, and here?s what I got back:
There are situations where phone numbers expire and are made available to someone other than the original owner. For example, if a number has a new owner and they use it to log into Facebook, it could trigger a Facebook password reset. If that number is still associated with a user?s Facebook account, the person who now has that number could then take over the account.
While this is a concern, this isn?t considered a bug for the bug bounty program. Facebook doesn?t have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them.
What I got out of that was ?Yeah, that kinda sucks, but that?s not our responsibility so we?re just gonna ignore this, k??
I also contacted an acquaintance working at Facebook and they filed an internal ticket, but couldn?t tell me what the outcome would be.
Both these requests were submitted over three months ago, and the issue still remains, so I really think Facebook doesn?t care.
I?m hoping that by publishing this, perhaps enough people will pressure Facebook into fixing this gaping hole.
Okay, but what do you expect Facebook to do?
Oops. Perhaps this would?ve been nice to include when I originally published this post. There?s a really simple fix.
Don?t let users recover accounts solely with the same method used to log in.
If they want to recover after logging in with an email address, make them use another email address or phone number for recovery. The same goes for phone numbers. This alone would stop this exploit in its tracks. Heck, even just requiring users to identify at least one other recovery method probably would be as effective.
Additionally, Facebook should:
- Not let users recover an account without forcing a password reset. The user must know when this sort of thing happens.
- Send notifications to every single attached email address and phone number when the password is reset, for the same reason.
- Ask the user if they want to remove old phone numbers or email addresses whenever they add a new one.
- Fix the suspicious recovery attempt detection system a spokesperson told The Register that Facebook has, because it hasn?t caught me yet.
If you liked this story, consider following me on Twitter, where I tweet all sorts of things that probably have nothing to do with information security.