The core problem is that telecom companies recycle phone numbers that have been abandoned after a brief waiting period - at least 45 days in the US. That can become a problem because many online services require a phone number to identify users and/or send one-time passwords for two-factor authentication.
Users who abandon a number, and forget to update their new number, are therefore at risk of malicious account reset attempts by whoever gets access to their old numbers.
The findings were disclosed to telecom carriers in October 2020, and various measures were put into place to make it more difficult to hijack telecom accounts.
It appears this vulnerability persists with other online services that rely on mobile phone numbers for multi-factor authentication.
Enter one of Big Tech's least favorite activists.
The post omits some details that clarify how this might work - The Register has not verified that all the services cited above can be compromised as claimed.
If, for example, a Facebook user changes phone numbers but fails to note that change in Facebook or other accounts that use it for authentication, the recipient of the old, recycled number can try to login to the Facebook account still linked to that number.
Not having the password isn't necessarily a barrier.
The phone number may be sufficient to reset the password and access it despite multi-factor authentication.
In some login flows for a new sign-in, like the one used by DoorDash, an email address is required first, though isn't necessary thereafter.
In this instance, controlling the phone number provides account access without need for concurrent email validation.
Procedural variations aside, initiating a password reset without permission to hijack an online account is against the law in the US, the UK, and elsewhere, Hanff wrote in his reply, in addition to being a privacy intrusion.
There are situations where phone numbers expire that are made available to someone other than the original owner.
If a number has a new owner and they use it to log into Facebook, it could trigger a Facebook password reset.
If that number is still associated with the user's Facebook account, the person who now has that number could then take over the account.
While this is a concern, this isn't considered a bug for the bug bounty program.
Facebook doesn't have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them.
Hanff, in a LinkedIn post, argued this is unacceptable.
Hanff said he has reported Meta to the Irish Data Protection Commission for alleged violations of Articles 5, 25 and 32 of Europe's General Data Protection Regulation.
Meta did not immediately respond to a request for comment, nor did AT&T, T-Mobile, and Verizon.
This Cyber News was published on www.theregister.com. Publication date: Wed, 14 Feb 2024 00:59:04 +0000