Facebook SMS Notifications Security Vulnerability
Many services such as facebook require users to sign up with a valid mobile number and can choose to receive messages via SMS at their convenience. Facebook includes this option, and many users take advantage of this system. If a mobile number has been disconnected, after a period of time, the disconnected mobile number is recirculated in the available number pool and can be distributed to buyers of new sim cards. Failure to update your facebook mobile number may leave your account vulnerable to third parties.
I personally experienced this vulnerability myself when purchasing a new sim card. I was given a choice of one from about twenty different available numbers in the number pool. I arbitrarily picked one of the numbers which seemed easy to remember. After setting up my new sim card I began receiving sms messages from facebook with links to updates from apparent friends and family.
After checking that the sms messages were legitimately from facebook, I opened one of the links, only to be redirected to a complete stranger’s facebook account via my device’s web browser. The account was automatically logged in without the need for the user’s password, and I had apparently gained full control of the user’s Facebook account.
I was able to change any of the personal information, including contact details, as a phone verification code would be sent to my new number and not the actual user. I updated the users status with a request that he remove his old number (my current one) from his facebook account. The user apparently tried to update his contact details, but a verification code was sent to my number via sms.
This vulnerability is still open last I checked. There are multiple ways to counter this problem. One method is for facebook to stop sending out these links to people, or at least force users to enter their passwords upon being redirected to facebook from the links. The most effective way of controlling this vulnerability is to simply opt out of sms updates via facebook settings or, when changing mobile numbers, delete your old number, so that people who buy a new sim card with your old number from the number pool, cannot possibly receive one of these facebook links.
The control measure is preventive. By removing old phone numbers from your facebook account you are preventing the links to be sent to the wrong individual. By opting out of sms updates, the risk is reduced to zero because no links are sent via sms, and also no third party could gain access via one of these links if the device is left unattended and unlocked.
If a user opts to revieve sms updates, the risk isn’t entirely reduced. A third party may have physical access to the device and could access one of the sms links. If a user doesn’t delete their old number from facebook, someone who obtains the number may still receive sms updates on the user’s behalf until they opt out of the sms update service.
Users may wish to receive sms updates, so the user experience will be affected negatively if they opt out of the service. If the number in question is an old phone number, the user experience is not affected by deleting their old number in their facebook settings, and it is advised to do so immediately to avoid having the facebook account infiltrated by a third party.
I personally experienced this vulnerability myself when purchasing a new sim card. I was given a choice of one from about twenty different available numbers in the number pool. I arbitrarily picked one of the numbers which seemed easy to remember. After setting up my new sim card I began receiving sms messages from facebook with links to updates from apparent friends and family.
After checking that the sms messages were legitimately from facebook, I opened one of the links, only to be redirected to a complete stranger’s facebook account via my device’s web browser. The account was automatically logged in without the need for the user’s password, and I had apparently gained full control of the user’s Facebook account.
I was able to change any of the personal information, including contact details, as a phone verification code would be sent to my new number and not the actual user. I updated the users status with a request that he remove his old number (my current one) from his facebook account. The user apparently tried to update his contact details, but a verification code was sent to my number via sms.
This vulnerability is still open last I checked. There are multiple ways to counter this problem. One method is for facebook to stop sending out these links to people, or at least force users to enter their passwords upon being redirected to facebook from the links. The most effective way of controlling this vulnerability is to simply opt out of sms updates via facebook settings or, when changing mobile numbers, delete your old number, so that people who buy a new sim card with your old number from the number pool, cannot possibly receive one of these facebook links.
The control measure is preventive. By removing old phone numbers from your facebook account you are preventing the links to be sent to the wrong individual. By opting out of sms updates, the risk is reduced to zero because no links are sent via sms, and also no third party could gain access via one of these links if the device is left unattended and unlocked.
If a user opts to revieve sms updates, the risk isn’t entirely reduced. A third party may have physical access to the device and could access one of the sms links. If a user doesn’t delete their old number from facebook, someone who obtains the number may still receive sms updates on the user’s behalf until they opt out of the sms update service.
Users may wish to receive sms updates, so the user experience will be affected negatively if they opt out of the service. If the number in question is an old phone number, the user experience is not affected by deleting their old number in their facebook settings, and it is advised to do so immediately to avoid having the facebook account infiltrated by a third party.
Comments
Post a Comment