Meta has acknowledged that phone number reuse that allows takeovers of its accounts “is a concern,” but the ad biz insists the issue doesn’t qualify for its bug bounty program and is a matter for telecom companies to sort out.

The core problem is that telecom companies recycle phone numbers that have been abandoned after a brief waiting period – at least 45 days in the US. That can become a problem because many online services require a phone number to identify users and/or send one-time passwords for two-factor authentication. Users who abandon a number, and forget to update their new number, are therefore at risk of malicious account reset attempts by whoever gets access to their old numbers. Account takeovers are a common consequence.

This is not a new issue. In 2021, privacy researchers from Princeton University published a report [PDF] on the topic titled, “Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States.”

The report found 171 of 259 sampled numbers “were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked.” It also found that 100 of those 259 were linked to leaked login credentials that would make it easier to defeat SMS-based multi-factor authentication.

The findings were disclosed to telecom carriers in October 2020, and various measures were put into place to make it more difficult to hijack telecom accounts. T-Mobile for example published a support page advising customers who change numbers to “update your contact number on any accounts that may have your number saved, such as notifications for bank accounts, social media, etc.”

Nonetheless, it appears this vulnerability persists with other online services that rely on mobile phone numbers for multi-factor authentication.

Enter one of Big Tech’s least favorite activists

Privacy consultant Alexander Hanff, an occasional contributor to The Register, noted a social media post in which a Reddit user describes gaining access to a “random girl’s” account by using a newly provisioned mobile phone number to login to Meta’s Instagram service.

“So naturally I got curious and tested other apps,” the post says. “TikTok, Snapchat, Amazon, Facebook, Messenger, Cash App, and DoorDash were all easily accessible with this new number into this random person’s account. But now I’m also scared because if I can do it, then the person who gets my old number can [too]? Isn’t this like against some law or something?”

The post omits some details that clarify how this might work – The Register has not verified that all the services cited above can be compromised as claimed.

If, for example, a Facebook user changes phone numbers but fails to note that change in Facebook or other accounts that use it for authentication, the recipient of the old, recycled number can try to login to the Facebook account still linked to that number. Doing so generally requires a password too.

But not having the password isn’t necessarily a barrier. The phone number may be sufficient to reset the password and access it despite multi-factor authentication. Typically, users are sent notification of the password change to the email address associated with their account.

In some login flows for a new sign-in, like the one used by DoorDash, an email address is required first, though isn’t necessary thereafter. After providing an email address and clicking “Continue to Sign In,” a user can provide that same email address or a phone number to receive a one-time verification code sent in a text message that completes the login process. In this instance, controlling the phone number provides account access without need for concurrent email validation.

Procedural variations aside, initiating a password reset without permission to hijack an online account is against the law in the US, the UK, and elsewhere, Hanff wrote in his reply, in addition to being a privacy intrusion.

Hanff subsequently tried to alert Meta. “I reported this under their security vulnerabilities (bug bounty) system as there is no other obvious way to report this,” he told The Register. “Obviously I am not interested in any bounty, I am just trying to get this fixed, but Meta has a habit of obstructing people from contacting them.”

No bounty for you says Meta

Meta has rejected Hanff’s bug bounty report. The company’s reply, provided to The Register, reads as follows:

Hanff, in a LinkedIn post, argued this is unacceptable.

“We do not say ‘Well we know that passwords with low entropy can be hacked very quickly, but we are not responsible for people using password busting technology so we will continue to allow four-character passwords consisting of only lower-case letters in the first half of the alphabet,'” he wrote.

“So if you know a risk exists, the whole point of security design is to mitigate or remove those risks, not ignore them because you are not responsible for them.”

Hanff said he has reported Meta to the Irish Data Protection Commission for alleged violations of Articles 5, 25 and 32 of Europe’s General Data Protection Regulation. Those rules require responsible data handling.

Meta did not immediately respond to a request for comment, nor did AT&T, T-Mobile, and Verizon. ®

Related Post