A programmer “James Martindale” has found an easy way to hack random Facebook accounts whose owners have connected the accounts to their phone numbers. If you’re changing your phone number, there are chances that your old number will be given to someone else. If the new owner of that number attempts to perform Facebook login, he/she can perform a password reset and control your account. While Facebook has called it a concern, it has refused to consider the same for its bug bounty program.
Often Facebook asks to link phone number to account to help “secure my account.” In case you forget your password or are facing difficulty accessing your account, that phone number can be used to reset your password and authenticate you once again. The phone also allows your friends to contact you via calling.
But, what if you change your phone number and it’s assigned to someone else?
However, there’s a flaw in the way Facebook uses your phone numbers. A computer programmer, James Martindale, recently uncovered an easy way to break into a person’s Facebook account. He has documented his experience on Medium.
Martindale got a new SIM card, and after inserting that into his phone, he got two texts. The first one from an unknown person and the second one was from Facebook. The second texts surprised him as he hadn’t added that new number to Facebook yet. The text was one of the ones which are sent by the company if you haven’t logged in for a while.
Most of you must be knowing that Facebook lets you find your account with the help of phone number, you can also use it to sign in. So he attempted to sign in using the new phone number and a random password. Expectedly, it didn’t work. So, he clicked on Forgot Password.
Facebook showed him different recovery phone numbers, and he chose the one that he entered. He got a recovery code and used it to create a new password and log in. He could now do anything with that Facebook account and even change his password.
You might argue that the chances of another person checking his/her new phone number on Facebook are pretty low. But, what if someone does that? Martindale also writes that his VoIP carrier FreedomPop lets him change his number anytime for $5.
FreedomPop (and some other services) show you lots of phone numbers to choose from. All one needs to do is open Facebook and try logging in using one of those numbers. After finding a matching number, the hacker can buy that number and use it hack a Facebook account.
Facebook isn’t fixing this issue
Facebook has called it a concern but refused to consider it a bug for bug bounty program. “Facebook doesn’t have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them,” the website writes.
What You can do:
You need to immediately remove your old numbers and email addresses from your Facebook account. You also need to set up 2-step login authorization and login alerts on Facebook and other online accounts.