Roughly a fourth of the world's population logs on to Facebook every month. And for the millions of them who secure their accounts with their phone numbers, those users are vulnerable to losing control of their Facebook data to hackers.
It's not just Facebook users who are at risk of finding themselves shut out of their account with their means of restoring access now changed. Any account that uses phone numbers as a means to restore access is vulnerable — that includes the Gmail, Twitter, Yahoo Mail and a crowd of others.
Any additional way into an account for the user is yet another door that can be unlocked by a hacker. And if users opt to install a door secured by their phone numbers, they're giving hackers an easier option than the front door, according to experts.
Researchers from Positive Technologies have issued a proof of concept that shows how a commonly exploited flaw can be used as a tool to spring the locks on Facebook accounts. The concept leverages a well-known flaw in the SS7 (Signaling System 7) protocol, tech developed in the mid 70s to manage information exchanged over PSTNs (Public Switched Telephone Networks).
Positive Technologies previously showed how exploiting the SS7 protocol's flaw could be leveraged to pinpoint the location of a person, working only on that individual's phone number. This time, the research firm has proven that the protocol can be used to intercept security modes meant for account holders.
Armed with a target's phone number, hackers only need to click on Facebook's "Forgot your password?" option and input the victim's number. Then using the SS7 protocol flaw, the hacker can redirect the security code Facebook generates and use it to log into the victim's account.
Location tracking and Facebook hacking aren't the only uses for the SS7 vulnerability. Positive Technologies also found that hackers could use the exploit to decode encrypted messages. That's because secure messaging apps use SMS authentication just as account recovery systems do.
"SMS authentication is one of the major security mechanisms for services like WhatsApp, Facebook, Google, Viber, etc.," states Positive Technologies. "Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker can easily intercept these and assume identity of the legitimate user."
One of the major takeaways from all of this is that users should be wary of using their phone numbers to secure their accounts. That, and the fact that it's time to improve SS7 security.