Facebook accounts are a valuable commodity to hackers who are hungry for the personal information they contain. One white-hat hacker claims to have found the Holy Grail: a simple trick that could let cybercriminals covertly access accounts with ease.
In a post on microblogging website Medium, an 18-year-old computer tester called James Martindale outlined how a suspected flaw in how Facebook manages its account verification via phone numbers let him break into a number of profiles at random.
The Silicon Valley social media giant lets you add multiple numbers as a way of letting your friends see how to contact you on other services. The problem, however, stemmed from the fact the same numbers can be used as a method of account recovery.
"Great, except Facebook never encourages you to keep your contact info up-to-date," Martindale wrote. "This isn't just an opportunity for a friend getting ticked off because you never replied to the text they sent to a phone number you no longer have.
"This can be game over for your account."
The researcher said he stumbled across the security snafu after trying to port a phone number to work on Google Voice via mobile service FreedomPop. When he inserted a new T-Mobile Sim card into his phone it turned out the number was previously linked to another user on Facebook.
He typed the phone number into Facebook via its search functionality and found a single account popped up. Using his browser's incognito mode, he signed in with the number as the username and a bogus password. When an error was received, he clicked "Forgot your Password?".
"The recovery option with the completely visible phone number was the one I entered," he explained. "Facebook texts me a code, I enter it, and I'm logged in. So there it was. I could change the password and lock this guy out of his account, just because he forgot to remove an old number."
Martindale said he later checked with another number to make see if the result was a one-off. It wasn't. Luckily, the tactic cannot be relied upon to target individual users so it remains unlikely that a criminal hacker could use the flaw to go after specific accounts.
He wrote: "Your Facebook account is a treasure trove worth a good chunk of money.
"I guarantee you that somebody out there has already smelled the money, figured this out, and is on the prowl chasing after accounts they can resell. At some point, one of those accounts is going to be yours if you have an outdated phone number on your account."
Martindale advised users to immediately remove old phone numbers and email addresses from all online accounts to stay safe from this hack. Concerned Facebook users can also use a feature that sends alerts following unrecognised login attempts.
The researcher said he submitted a bug report directly to Facebook, but an official replied claiming that the security gap was not significant enough to become a real threat.
"This isn't considered a bug for the bug bounty program," the tech giant's team said. "Facebook doesn't have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them."
In a statement to The Register, a Facebook spokesperson said: "Several online services allow people to use phone numbers to recover their accounts.
"We encourage people to only list current phone numbers, and if we detect the password recovery attempt as 'suspicious' we may prompt the person for more information."