Pierluigi Paganini June 15, 2016

Hacking Facebook Accounts with just a phone number is possible, experts from Positive Technologies demonstrated it exploiting flaws in the SS7 protocol.

Hacking Facebook accounts by knowing phone numbers it is possible, a group of researchers from Positive Technologies demonstrated it.

“Researchers have proven just that by taking control of a Facebook account with only a phone number and some hacking skills to exploit the SS7 network, a core piece of telecoms infrastructure shown to be vulnerable repeatedly over the last half decade.” reported a blog post published on Forbes.

The hackers exploit a flaw in the SS7 protocol for hacking Facebook accounts just by knowing a victim’s phone number. The technique allows bypassing any security measure implemented by the giant of the social networks.

SS7 is a set of protocols used in telecommunications ever since the late 1970s, enabling smooth transportation of data without any breaches.

The security issue in the SS7 signalling system could be exploited by criminals, terrorists and intelligence agencies to spy on communications. The SS7 protocol allows cell phone carriers to collect location data related to the user’s device from cell phone towers and share it with other carriers, this means that exploiting the SS7 a carrier is able to discover the position of its customer everywhere he is.

The team of researchers from Positive Technologies is the same that recently demonstrated how to hack WhatsApp and Telegram accounts by leveraging on the SS7 protocol.

The attack method devised by the experts from Positive Technologies works against any service that relies on SMS to verify the user accounts, including Gmail and Twitter.

Hacking Facebook accounts is a reality, the attacker first needs to follow the “Forgot account?” procedure by clicking on a link present in the Facebook homepage. At this point, when asked for a phone number or email address belonging to the target account, the hacker needs to provide the legitimate phone number.

At this point, the attacker can exploit the flaw in the SS7 to hijack the SMS containing a one-time passcode (OTP) that is used to log in the target’s Facebook account.

Hacking Facebook accounts is possible only if users have registered a phone number and have authorized Facebook Texts.

To protect your facebook account do not link your phone number to social media sites, instead use emails for the recovery process. Always enable two-factor authentication that uses email instead SMS texts for receiving passcodes.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SS7, Hacking Facebook Accounts)

[adrotate banner=”13″]