How to hack Facebook with just a phone number

A flaw in the SS7 protocol makes hacking Facebook accounts easier than you'd think.

Screenshot via ZDNet

It is possible to compromise Facebook accounts using little more than a phone number, researchers have warned.

A security team from Positive Technologies claims that if you know the phone number of your intended victim, you can break into their linked Facebook account thanks to security flaws in the SS7 protocol.

As reported by Forbes, there is a segment of core telecommunications infrastructure which has been left vulnerable to exploit for the last half decade.

SS7 is a protocol developed in 1975 which is used worldwide to define how networks in a public switched telephone network (PSTN) exchange information over a digital signaling network. However, a network based on SS7 will, by default, trust messages sent over it -- no matter where the message originated from.

The security flaw lies within the network and how SS7 handles these requests, rather than a bug on Facebook's platform. All cyberattackers need to do is to follow the "Forgot account?" procedure through Facebook's homepage, and when asked for a phone number or email address, offer the legitimate phone number.

Once Facebook has sent along an SMS message containing the one-time code used to access the account, the SS7 security flaw can then be exploited to divert this code to the attacker's own mobile device, granting them access to the victim's account.

Positive Technologies provided a proof-of-concept (PoC) video demonstrating the attack, which can be viewed below:

The victim must have linked their phone number to the target account, but as the security flaw is found within the telecommunications network and not online domains, this attack will also work against any web service which uses the same account recovery procedure -- such as Gmail and Twitter.

Two-step verification is becoming more and more crucial, but until vulnerabilities in telecom services are fixed, using email recovery methods may be the best way to go -- as well as the use of very strong, complex passwords for any main 'hub' email accounts you use to maintain other online services.

Show Comments