Nowadays, for most of us, smartphones have become a vital device, something that we have at hand almost all the time. They come with a phone number that is frequently used to identify ourselves on social networks and other important online services.
- Did you ever wonder what happens when we change our phone number?
- Do the services that use it to identify us, correctly disassociate such a number from our identity?
When we cancel a phone number, the mobile providers wait for a certain period of time before assigning it to a new customer (commonly 3 months), this number recycling process has several implications. Since it is common for phone numbers to be recycled by mobile providers, it is possible that the previous owner of a number has an account on Facebook -or any other service- still associated with the number.
A dangerous problem arises when a platform does not have a strategy to protect their users from phone number recycling.
The Facebook case
Facebook allows its users to authenticate their accounts in at least two ways: through the username and password, or using the telephone number associated with the account (if any). We can see this last alternative when trying to access Facebook from a smartphone, for example using the mobile's web browser.
Once clicking on the blue button, Facebook will identify the profile associated with the phone number and ask for the user's password.
Of course, a potential attacker who bought a SIM card with the previous number of the target person will not have the password. However -here comes the most interesting part- it is possible to choose the option "Try another way" (to authenticate) in order to avoid entering the password.
Surprise!
Facebook allows authentication by sending an SMS to the phone number that the attacker owns! Unfortunately Facebook assumes that the phone number still belongs to the real owner of the account.
Facebook now allows a new password to be set for the account, or simply to skip and enter the profile.
With no effort, the attacker now has access to the victims' Facebook account.
What does Facebook say about this?
Facebook told us that they can do nothing to fix this issue.
In our opinion, Facebook could actually protect their users from being hacked by this technique, by simply denying login only with the phone number if that authentication method has not been used in the last 30 days for the phone number. This would prevent attackers from logging into the account of the previous phone number's owner, as recycling usually occurs after at least 90 days. Another measure might be to prevent users from recovering/resetting their password using the same method being used to authenticate, after all, this technique is only possible because Facebook allows password authentication to be skipped and a new one to be set using the phone number owned by the attacker as recovery method.
Ironically, Facebook has implemented a strategy against phone number recycling on WhatsApp. The FAQ page of WhatsApp states:
"If the previous owner of your phone number didn't delete their WhatsApp account, you and your contacts may see your phone number in WhatsApp before you activate a new account. You may also see someone else's profile photo and about attached to your phone number. There's no need to worry. This only means that the previous account wasn't deleted, so old information still exists in the system. This does not mean that the previous owner of the phone number has any access to the WhatsApp account you activate with your new phone number. Your conversations and other WhatsApp data are secure. To help eliminate confusion with recycled phone numbers, we monitor account inactivity. If an account is unused for 45 days and then becomes newly activated on a different mobile device, we take this as a sign that a number has been recycled. At this time, we'll remove the old account data tied to the phone number - like the profile photo and About."
Unfortunately, they do not apply this on Facebook. A fact that we were able to verify after accessing another account using the previous phone number of a person still associated to their account. Facebook allowed us to login even though the real owner of the account had not used the phone number to authenticate on Facebook for several months.
How can Facebook users protect against this?
As Facebook have made it clear that they will not take steps to protect their users from this, it is important that users take steps themselves.
The protection is simple:
- Remember to always update the phone number associated with your Facebook account.
- Remember that if you deactivate a phone number, to also disconnect it from your Facebook account.
Unfortunately many users forget to update the phone numbers associated with their social networks. If they change their number, an attacker asking for the victim's previous number may gain access to their Facebook account with zero effort.
_____
Teresa Alberto
Security Researcher at Dreamlab Technologies
