Facebook security hole lets anyone easily break into people’s accounts without a password

The social network has described the finding as a 'concern', but hasn't yet plugged the hole

Aatif Sulleyman
Thursday 20 July 2017 11:36 BST
Comments
Fortunately, you can protect yourself easily
Fortunately, you can protect yourself easily (RAUL ARBOLEDA/AFP/Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A “gaping hole” in Facebook’s account recovery feature lets anyone easily break into an account, says a security researcher.

They don’t need to know your password to gain access, and can do it without you ever noticing.

However, if they wanted to, they could also choose to lock you out of your own account.

18-year-old James Martindale discovered the apparent shortcoming after he popped a new T-Mobile SIM card into his phone.

He said he quickly received a text from Facebook, informing him that he hadn’t logged into his account for a while, despite not having tied the new number to his account.

He then searched for the number on Facebook, which brought up a single account, and tried logging in to the social network by using the number as the username and typing in a random password.

The attempt failed because the password he entered was wrong, but clicking on the Forgot Password option that subsequently appeared opened up worrying possibilities.

The account Mr Martindale had found when he searched for the number was displayed on the screen, he said, alongside a list of account recovery options – comprising an email address and six phone numbers – for regaining access to the account.

One of these options was for Facebook to text a password reset code to the very number Mr Martindale had just tried to log in with.

After he selected the option, he said he received the code, entered it, and successfully logged into the person’s account.

What’s more, Facebook then gave him the option to change the password, which would have locked the real user out of their account, or to skip that stage, which means he never would have known his account had been hacked.

Mr Martindale says he was able to perform the same trick, using the exact same method, with another new number too.

“This can be game over for your account,” he wrote.

While a scammer won’t be able to target specific accounts using this method, anyone who still has an old number linked to their account could potentially be vulnerable.

“Once I have an account, there’s plenty of possibilities,” he explained. “People buy Facebook accounts on the black market all the time, and even in more public places like Reddit. Or I could message the account’s friends and ask for money.”

Mr Martindale also pointed out that this makes any apps you’ve logged into using your Facebook account vulnerable to scammers too.

The problem stems from the fact that Facebook allows you to link multiple phone numbers to your account, and doesn’t force you to remove old ones once you’ve stopped using them.

Mr Martindale says he reported the issue to Facebook three months ago, which acknowledged it was a “concern”, but hasn’t yet done anything about it.

“There are situations where phone numbers expire and are made available to someone other than the original owner,” the company responded. “For example, if a number has a new owner and they use it to log into Facebook, it could trigger a Facebook password reset. If that number is still associated with a user’s Facebook account, the person who now has that number could then take over the account.

“While this is a concern, this isn’t considered a bug for the bug bounty program. Facebook doesn’t have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them.”

Fortunately, you can protect yourself easily.

The first thing you should do is unlink any old numbers and email addresses from your account, by visiting Settings.

From here, you can also set up two-factor authentication and enable alerts about unrecognised logins.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in