searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
June 16, 2016
Share

How attackers can hijack your Facebook account

Positive Technologies researchers have demonstrated that knowing a user’s phone number and how to exploit a vulnerability in the SS7 network is enough to hijack that user’s Facebook account.

As demonstrated in the above video, attackers can take advantage of the social network’s password recovery functionality to make it send a one-time password via SMS to the user.

In the meantime, they can exploit vulnerabilities in the SS7 network to acquire details about the victim’s mobile device and register him in a fake roaming network. This allows them to receive all the calls and SMSes intended for the victim, including the aforementioned SMS from Facebook.

With the one-time code in hand, the attackers can easily access the victim’s Facebook account and wrestle it away from her by changing the password.

SS7 (Signalling System No. 7), a set of telephony signaling protocols that are used by thousands of telecoms around the world so that their users can connect to different telecom networks when traveling, is widely known to be vulnerable, and network operators are trying to implement protections, but it takes time for everyone to get on board.

Security researcher Karsten Nohl told Forbes that setting up simple firewall rules would solve 90 per cent of the security issues associated with SS7.

In the meantime, your Facebook account can be made secure from this specific attack by setting up the two-factor authentication provided by the company. Once the user switches it on, the password recovery feature does no provide the option of receiving the one-time password via SMS anymore.

Given that this attack is possible due to the vulnerability of the SS7 system and not Facebook, it’s possible it could also work for hijacking accounts with other online services that use the same account recovery mechanism. Of course, that’s only if that account has a cell phone number associated with it.

More about
  • account hijacking
  • Facebook
  • PoC
  • SS7
  • vulnerability
Share this

Featured news

  • Ransomware gangs are exploiting IBM Aspera Faspex RCE flaw (CVE-2022-47986)
  • 3CX customers targeted via trojanized desktop app
  • The rise of biometrics and decentralized identity is a game-changer for identity verification
Guide: Aligning your security program with the NIST CSF

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

Ransomware gangs are exploiting IBM Aspera Faspex RCE flaw (CVE-2022-47986)

3CX customers targeted via trojanized desktop app

The rise of biometrics and decentralized identity is a game-changer for identity verification

Protect your entire business with the right authentication method

Microsoft unveils AI-powered Security Copilot analysis tool

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us