Meta has acknowledged that telephone number reuse that allows takeovers of its accounts "is a concern," but nan advertisement biz insists nan rumor doesn't suffice for its bug bounty programme and is simply a matter for telecom companies to benignant out.
The halfway problem is that telecom companies recycle telephone numbers that person been abandoned aft a little waiting play – astatine slightest 45 days successful nan US. That tin go a problem because galore online services require a telephone number to place users and/or nonstop one-time passwords for two-factor authentication. Users who wantonness a number, and hide to update their caller number, are truthful astatine consequence of malicious relationship reset attempts by whoever gets entree to their aged numbers. Account takeovers are a communal consequence.
This is not a caller issue. In 2021, privateness researchers from Princeton University published a report [PDF] connected nan taxable titled, "Security and Privacy Risks of Number Recycling astatine Mobile Carriers successful nan United States."
The study recovered 171 of 259 sampled numbers "were tied to existing accounts astatine celebrated websites, perchance allowing those accounts to beryllium hijacked." It besides recovered that 100 of those 259 were linked to leaked login credentials that would make it easier to conclusion SMS-based multi-factor authentication.
The findings were disclosed to telecom carriers successful October 2020, and various measures were put into spot to make it much difficult to hijack telecom accounts. T-Mobile for illustration published a support page advising customers who alteration numbers to "update your interaction number connected immoderate accounts that whitethorn person your number saved, specified arsenic notifications for slope accounts, societal media, etc."
Nonetheless, it appears this vulnerability persists pinch different online services that trust connected mobile telephone numbers for multi-factor authentication.
Enter 1 of Big Tech's slightest favourite activists
Privacy advisor Alexander Hanff, an occasional contributor to The Register, noted a societal media station successful which a Reddit personification describes gaining entree to a "random girl's" relationship by utilizing a recently provisioned mobile telephone number to login to Meta's Instagram service.
"So people I sewage funny and tested different apps," nan station says. "TikTok, Snapchat, Amazon, Facebook, Messenger, Cash App, and DoorDash were each easy accessible pinch this caller number into this random person's account. But now I'm besides frightened because if I tin do it, past nan personification who gets my aged number tin [too]? Isn't this for illustration against immoderate rule aliases something?"
- FCC gets tough: Telcos must now show you erstwhile your individual info is stolen
- Europe's largest caravan nine admits wide array of individual information perchance accessed
- Crime pack targeted jobseekers crossed Asia, looted 2 cardinal email addresses
- Meta to effort 'cutting edge' AI discovery connected its platforms - asking group to adhd labels
The station omits immoderate specifications that explain really this mightiness activity – The Register has not verified that each nan services cited supra tin beryllium compromised arsenic claimed.
If, for example, a Facebook personification changes telephone numbers but fails to statement that alteration successful Facebook aliases different accounts that usage it for authentication, nan recipient of nan old, recycled number tin effort to login to nan Facebook relationship still linked to that number. Doing truthful mostly requires a password too.
But not having nan password isn't needfully a barrier. The telephone number whitethorn beryllium capable to reset nan password and entree it contempt multi-factor authentication. Typically, users are sent notification of nan password alteration to nan email reside associated pinch their account.
In immoderate login flows for a caller sign-in, for illustration nan 1 utilized by DoorDash, an email reside is required first, though isn't basal thereafter. After providing an email reside and clicking "Continue to Sign In," a personification tin supply that aforesaid email reside aliases a telephone number to person a one-time verification codification sent successful a matter connection that completes nan login process. In this instance, controlling nan telephone number provides relationship entree without request for concurrent email validation.
Procedural variations aside, initiating a password reset without support to hijack an online relationship is against nan rule successful nan US, nan UK, and elsewhere, Hanff wrote successful his reply, successful summation to being a privateness intrusion.
Hanff subsequently tried to alert Meta. "I reported this nether their information vulnerabilities (bug bounty) strategy arsenic location is nary different evident measurement to study this," he told The Register. "Obviously I americium not willing successful immoderate bounty, I americium conscionable trying to get this fixed, but Meta has a wont of obstructing group from contacting them."
No bounty for you says Meta
Meta has rejected Hanff's bug bounty report. The company's reply, provided to The Register, sounds arsenic follows:
Hanff, successful a LinkedIn post, argued this is unacceptable.
"We do not opportunity 'Well we cognize that passwords pinch debased entropy tin beryllium hacked very quickly, but we are not responsible for group utilizing password busting exertion truthful we will proceed to let four-character passwords consisting of only lower-case letters successful nan first half of nan alphabet,'" he wrote.
"So if you cognize a consequence exists, nan full constituent of information creation is to mitigate aliases region those risks, not disregard them because you are not responsible for them."
Hanff said he has reported Meta to nan Irish Data Protection Commission for alleged violations of Articles 5, 25 and 32 of Europe's General Data Protection Regulation. Those rules require responsible information handling.
Meta did not instantly respond to a petition for comment, nor did AT&T, T-Mobile, and Verizon. ®