Facebook has got your number – even if it’s not your number

Do you value your Facebook account? Have you linked your phone number to your Facebook account? You could lose access to it if you aren’t careful, according to James Martindale, who discovered a worrisome Facebook authentication vulnerability.

Facebook encourages you to give it your phone number “to help secure your account”, and you can link multiple numbers to your account. That means that you – or anyone with access to your number – can take control of your account.

However, phone numbers, especially cellphone numbers, are re-assigned to other people and businesses on a constant basis – which means if you change your number, your old number may well be re-assigned to someone else.

And that means that whoever has your old number could potentially take over your Facebook account if that old number is still linked to it.

Martindale discovered the bug while trying to port his phone number to Google Voice, explaining:

I got a really photogenic phone number from a VoIP phone carrier called FreedomPop. I wanted to move this number to Google Voice. Unfortunately Google Voice can’t port in from landline numbers, and VoIP numbers are pretty much landline numbers. In order to pull this off, I signed up for a prepaid plan from T-Mobile. The plan was to port my number from FreedomPop to T-Mobile, and then from T-Mobile to Google Voice.

My T-Mobile SIM card arrived and I stuck it into my phone. While I looked over the activation instructions that came with the SIM card, I got two texts. The first is from somebody I don’t know, and the second is one of those texts Facebook sends out when you haven’t logged in for a while… except I hadn’t added this phone number to Facebook yet.

Knowing that you can search Facebook with a phone number, Martindale looked for the number, which was associated with an account, and then tried to sign in to that account.  He went on:

Of course it didn’t work. So I clicked on Forgot your password. The recovery option with the completely visible phone number was the one I entered. Facebook texts me a code, I enter it, and I’m logged in.

Facebook didn’t consider the vulnerability worthy of its bug bounty program. Here’s the message they sent Martindale:

There are situations where phone numbers expire and are made available to someone other than the original owner. For example, if a number has a new owner and they use it to log into Facebook, it could trigger a Facebook password reset. If that number is still associated with a user’s Facebook account, the person who now has that number could then take over the account.

While this is a concern, this isn’t considered a bug for the bug bounty program. Facebook doesn’t have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them.

Facebook accounts are often sold on the Dark Web, so Martindale concluded that this vulnerability can be exploited to take over millions of Facebook accounts and make a lot of money.

If you want to avoid having your Facebook account hijacked, make sure that any phone numbers you’ve linked to your account are currently being used by you, and make sure that you have set Facebook to alert you about unrecognized logins. Martindale hopes that by publicizing this vulnerability, Facebook might take action.