Why You Should Delete Your Old Number from Facebook Now
If you have an old phone number linked to your Facebook account, delete it. Anyone who comes into possession of that number can log into your account sans password, and you won't get so much as a notification email.
The bug's finder says Facebook has no interest in fixing this gaping hole because it is, to paraphrase, someone else's problem.
James Martindale, an independent programmer, discovered the bug after he started getting Facebook reminders for someone else's account on a new phone number. He reported his findings to Facebook, and when the company blew him off, took his concerns to Medium instead, where he's had a much warmer reception.
The threat from this is bigger than it seems. Services such as Google Voice and companies like FreedomPop make purchasing new telephone numbers cheap and easy, and even let you choose from a selection of potential new numbers.
Because Facebook lets you search for users via their phone numbers, Martindale said it wouldn't be hard to check each potential new number to see if it was tied to a Facebook account. A budding cybercriminal could then buy the number, hijack the account, sell it on the black market, and repeat the process indefinitely.
Martindale explained that he wanted to purchase a new phone number (a "really photogenic" one), and had to do a little SIM-card juggling to get it on his phone. When the card was up and running, though, he got a text from Facebook, claiming that he hadn't logged in for a while and wanted to fix that.
Martindale used Facebook's search feature to reverse-lookup the phone number and find the account to which it belonged. Out of curiosity, he tried to log into the account, using the phone number as the username, then claimed that he'd forgotten his password. As it turned out, the user's old phone number was still connected to their Facebook account, and Martindale could have chosen, if he'd wanted to, to receive a text message to reset the password.
Better still: Facebook does not actually require a user in these circumstances to reset his or her password, meaning that Martindale could have hijacked this user's account without a single notification reaching the legitimate user by Facebook or email. (Naturally, it would also be trivial to lock a user out of his or her own account by creating a new password.)
There are two extremely simple ways to prevent this from happening to you. The first is to remove old phone numbers from your account, which you can do by accessing Settings, selecting Mobile and then clicking or tapping on Remove next to any defunct number. The second is to activate two-factor authentication on Facebook, which means you'll need to grant or deny permission for any new Facebook login from your phone or tablet. Of course, you'll need to make sure that if you set the second factor to be a texted code, that the receiving number is your current mobile number and not an old one.
Self-interested readers may have (correctly) deduced that this bug, while dangerous, cannot be directed at specific people. After all, if you purchase a new phone number through companies like FreedomPop (for as little as $5 each), you don't get to choose your own number. (Some services do offer "vanity" phone numbers for sale, but these cost hundreds of dollars.)
Still, the objective is not to compromise a particular person's Facebook account, but to compromise any sufficiently active account. From there, pulling off a phishing scam, an e-begging scheme via Messenger or simply putting accounts up for sale on the dark web would be trivial. A dedicated cybercriminal could make a few hundred dollars a day, to say nothing of what would happen if he or she chose to distribute malware via Facebook Messenger.
Martindale did get a response from Facebook when he informed the company of the bug, but it refused to give him a bug bounty.
"While this is a concern, this isn't considered a bug for the bug bounty program,” said a Facebook security representative named Randy. "Facebook doesn't have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them."
In other words: Yes, it's a problem, but it's not our problem. Good to know that Facebook always has its users' backs. Martindale says that Facebook could fix this by permitting users to register only one mobile number with the service, and to forcibly deactivate older numbers when a user registers a new one.