searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • (IN)SECURE Magazine

Featured news

  • March 2021 Patch Tuesday forecast: Off to an early start
  • Credential exposure trends: You need a better password
  • Cybercriminals increasingly impersonate business-related apps
  • To support a growing remote workforce, the public sector turned to the cloud
  • In the digital economy, computing power defines productivity
Zeljka Zorz
Zeljka Zorz, Managing Editor, Help Net Security
June 16, 2016
Share

How attackers can hijack your Facebook account

Positive Technologies researchers have demonstrated that knowing a user’s phone number and how to exploit a vulnerability in the SS7 network is enough to hijack that user’s Facebook account.

As demonstrated in the above video, attackers can take advantage of the social network’s password recovery functionality to make it send a one-time password via SMS to the user.

In the meantime, they can exploit vulnerabilities in the SS7 network to acquire details about the victim’s mobile device and register him in a fake roaming network. This allows them to receive all the calls and SMSes intended for the victim, including the aforementioned SMS from Facebook.

With the one-time code in hand, the attackers can easily access the victim’s Facebook account and wrestle it away from her by changing the password.

SS7 (Signalling System No. 7), a set of telephony signaling protocols that are used by thousands of telecoms around the world so that their users can connect to different telecom networks when traveling, is widely known to be vulnerable, and network operators are trying to implement protections, but it takes time for everyone to get on board.

Security researcher Karsten Nohl told Forbes that setting up simple firewall rules would solve 90 per cent of the security issues associated with SS7.

In the meantime, your Facebook account can be made secure from this specific attack by setting up the two-factor authentication provided by the company. Once the user switches it on, the password recovery feature does no provide the option of receiving the one-time password via SMS anymore.

Given that this attack is possible due to the vulnerability of the SS7 system and not Facebook, it’s possible it could also work for hijacking accounts with other online services that use the same account recovery mechanism. Of course, that’s only if that account has a cell phone number associated with it.

More about
  • account hijacking
  • Facebook
  • PoC
  • SS7
  • vulnerability
Share this
arrows

Risky business: 3 timeless approaches to reduce security risk in 2021

  • Security starts with architecture
  • Proliferation of sneakerbots across industries: The long tail of DIY bot operators
March 2021 Patch Tuesday forecast: Off to an early start

What's new

person

Credential exposure trends: You need a better password

arrows

Risky business: 3 timeless approaches to reduce security risk in 2021

patch

March 2021 Patch Tuesday forecast: Off to an early start

stock price

Cybercriminals increasingly impersonate business-related apps

Don't miss

patch

March 2021 Patch Tuesday forecast: Off to an early start

arrows

Risky business: 3 timeless approaches to reduce security risk in 2021

person

Credential exposure trends: You need a better password

stock price

Cybercriminals increasingly impersonate business-related apps

building

Security starts with architecture

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • Twitter

In case you’ve missed it

  • The economics behind global disinformation engines and strategies for mitigation
  • How do I select a cloud security solution for my business?
  • Chief Legal Officers face mounting compliance, privacy and cybersecurity obligations
  • How do I select a network monitoring solution for my business?

(IN)SECURE Magazine ISSUE 67 (November 2020)

  • Hardware security: Emerging attacks and protection mechanisms
  • Justifying your 2021 cybersecurity budget
  • Cooking up secure code: A foolproof recipe for open source
  • Mapping the motives of insider threats
Read online
© Copyright 1998-2021 by Help Net Security
Read our privacy policy | About us | Advertise