A “gaping hole” in Facebook’s account recovery feature lets anyone easily break into an account, says a security researcher.
They don’t need to know your password to gain access, and can do it without you ever noticing.
However, if they wanted to, they could also choose to lock you out of your own account.
18-year-old James Martindale discovered the apparent shortcomingafter he popped a new T-Mobile SIM card into his phone.
He said he quickly received a text from Facebook, informing him that he hadn’t logged into his account for a while, despite not having tied the new number to his account.
He then searched for the number on Facebook, which brought up a single account, and tried logging in to the social network by using the number as the username and typing in a random password.
The attempt failed because the password he entered was wrong, but clicking on the Forgot Password option that subsequently appeared opened up worrying possibilities.
The account Mr Martindale had found when he searched for the number was displayed on the screen, he said, alongside a list of account recovery options – comprising an email address and six phone numbers – for regaining access to the account.
One of these options was for Facebook to text a password reset code to the very number Mr Martindale had just tried to log in with.
He said he then selected the option, received the code, entered it, and logged into the person’s account.
What’s more, Facebook then gave him the option to change the password, which would have locked the real user out of their account, or to skip that stage, which means he never would have known his account had been hacked.
Mr Martindale says he was able to perform the same trick, using the exact same method, with another new number too.
“This can be game over for your account,” he wrote.
While a scammer won’t be able to target specific accounts using this method, anyone who still has an old number linked to their account could potentially be vulnerable.
“Once I have an account, there’s plenty of possibilities,” he explained. “People buy Facebook accounts on the black market all the time, and even in more public places like Reddit. Or I could message the account’s friends and ask for money.”
Mr Martindale also pointed out that this makes any apps you’ve logged into using your Facebook account vulnerable to scammers too.
The problem stems from the fact that Facebook allows you to link multiple phone numbers to your account, and doesn’t force you to remove old ones once you’ve stopped using them.
Mr Martindale says he reported the issue to Facebook three months ago, which acknowledged it was a “concern”, but hasn’t yet done anything about it.
“There are situations where phone numbers expire and are made available to someone other than the original owner,” the company responded. “For example, if a number has a new owner and they use it to log into Facebook, it could trigger a Facebook password reset. If that number is still associated with a user’s Facebook account, the person who now has that number could then take over the account.
“While this is a concern, this isn’t considered a bug for the bug bounty program. Facebook doesn’t have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them.”
Fortunately, you can protect yourself easily.
The first thing you should do is unlink any old numbers and email addresses from your account, by visiting Settings.
From here, you can also set up two-factor authentication and enable alerts about unrecognised logins.