A security researcher claims to have spotted a flaw in Facebook’s account recovery feature that can let anyone easily break into your account – that too, without you ever noticing, media reported on Friday. According to a report in the Independent, “there is no need of password to gain access and scammers can also lock you out of your own account”.
The discovery was made by 18-year-old James Martindale when he inserted a new SIM card into his phone.
Martindale quickly received a message from Facebook informing him that “he had not logged into his account for a while, despite not having tied the new number to his account”, the report said.
He then searched for the number on Facebook which brought up a single account.
Martindale then attempted to log into the account by using the number as the username and typing in a random password but failed because the password he entered was wrong.
He clicked on ‘Forgot Password’ option to recover his account but failed again.
Martindale searched for the account with the new number and found a list of account recovery options — comprising an email address and six phone numbers – for regaining access to the account.
“One of these options was for Facebook to text a password reset code to the very number Martindale had just tried to log in with,” the report said.
After selecting the option, he received the code and successfully logged into the ‘person’s’ account.
“Facebook then gave him the option to change the password, which would have locked the real user out of their account, or to skip that stage, which means he never would have known his account had been hacked,” the report pointed out.
Martindale performed the same trick with another new number and it resulted the same. However, when Martindale pointed out the flaw to Facebook, he was told it was just a “concern”.
Here is Facebook’s entire response, as cited by Martindale:
“There are situations where phone numbers expire and are made available to someone other than the original owner. For example, if a number has a new owner and they use it to log into Facebook, it could trigger a Facebook password reset. If that number is still associated with a user’s Facebook account, the person who now has that number could then take over the account.”
“While this is a concern, this isn’t considered a bug for the bug bounty program. Facebook doesn’t have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them.”
[“source-gadgets.ndtv”]