Positive Technologies researchers have demonstrated that knowing a user’s phone number and how to exploit a vulnerability in the SS7 network is enough to hijack that user’s Facebook account.
As demonstrated in the above video, attackers can take advantage of the social network’s password recovery functionality to make it send a one-time password via SMS to the user.
In the meantime, they can exploit vulnerabilities in the SS7 network to acquire details about the victim’s mobile device and register him in a fake roaming network. This allows them to receive all the calls and SMSes intended for the victim, including the aforementioned SMS from Facebook.
With the one-time code in hand, the attackers can easily access the victim’s Facebook account and wrestle it away from her by changing the password.
SS7 (Signalling System No. 7), a set of telephony signaling protocols that are used by thousands of telecoms around the world so that their users can connect to different telecom networks when traveling, is widely known to be vulnerable, and network operators are trying to implement protections, but it takes time for everyone to get on board.
Security researcher Karsten Nohl told Forbes that setting up simple firewall rules would solve 90 per cent of the security issues associated with SS7.
In the meantime, your Facebook account can be made secure from this specific attack by setting up the two-factor authentication provided by the company. Once the user switches it on, the password recovery feature does no provide the option of receiving the one-time password via SMS anymore.
Given that this attack is possible due to the vulnerability of the SS7 system and not Facebook, it’s possible it could also work for hijacking accounts with other online services that use the same account recovery mechanism. Of course, that’s only if that account has a cell phone number associated with it.