A major flaw has been found with Facebook’s account recovery feature that allows practically anyone to break into an account, a security researcher has revealed.
It appears that they don’t even require your password but they could effectively block you out of your own account by changing it once they have access.
James Martindale discovered the issue when he put a new SIM card into his smartphone. Facebook sent a text telling him that he hadn’t logged into his account for a while so he duly tried.
In a post on Medium, Mr. Martindale said that he searched for the number on Facebook which then brought up a connected account. He used the number as the username and entered a random password.
The password failed but by clicking on the ‘Forgot Password’ option, he revealed some worrying options.
One of the options for the account was to send a password reset code via text, he tried this and successfully logged in to ANOTHER person’s account. What is worse, he was then given the option to change the password.
He then tried this again with another number and again it worked. Explaining Mr Martindale said: “This can be game over for your account. Once I have an account, there’s plenty of possibilities.”
“People buy Facebook accounts on the black market all the time, and even in more public places like Reddit. Or I could message the account’s friends and ask for money.”
Potentially, this could make any account vulnerable along with any apps that you access via your Facebook login.
Facebook responded: “There are situations where phone numbers expire and are made available to someone other than the original owner. For example, if a number has a new owner and they use it to log into Facebook, it could trigger a Facebook password reset. If that number is still associated with a user’s Facebook account, the person who now has that number could then take over the account.
“While this is a concern, this isn’t considered a bug for the bug bounty program. Facebook doesn’t have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them.”
Luckily, it is possible to protect yourself. If you go to settings you can delete any old numbers and email addresses that are connected to your account as well as by adding two-factor authentication.