Facebook as we all know is the widely used social networking application. Millions of people use this application every day to get connected with their friends and family around the world.





No doubt Facebook is eagerly working to protect their users; and, the hackers are also trying to hijack user accounts. That is why Facebook is facing lots of security flaws every day.

This article discusses how to hijack a Facebook account with just victim’s phone number. This is not the Facebook vulnerability that allows hacker to do so, but the telecom service flaw that made Facebook’s security useless to some extent.

Many of the applications and websites use mobile verification (2 factor-authentication) to authorize user. This service uses SS7 (Signaling System 7) which is an architecture consist of sets of telephony signaling protocols. SS7 can perform prepaid billing; number translation, short messages other mass marketing service over telecom networks.

Facebook and other web applications use this service for the mobile verification purpose, the code sends to the user’s mobile phone using SS7 service. Whenever an unauthorized login request is arrived to the server from an unknown device, Facebook security automatically prompts user to the verification process, in which mobile and email verification options are available.

“Positive Technologies” has done a research and found the flaw that left SS7 network unreliable anymore. The attacker can easily trick the SS7 network to trust the message, send over it without concerning about its origin. This helps the attacker to divert the calls and messages from victim’s mobile device to their own. All they required is the phone with registered network, the victim’s phone number and access to the Facebook application.

Researchers have shown that how they simply accessed the Facebook user’s profile. The attacker can click on “forgot password” option, which further ask him to enter a username or number to identify the user profile. The victim’s phone number will work here, after the profile has been verified, it will ask to choose the option to receive the code. Here Wireshark tool will help the attacker to analyze the victim’s phone network to receive the generated code. Then by entering the received code, the attacker got access.

Although, this is a network vulnerability, it left millions of crucial accounts like online, e-banking and other social networking applications open for attacker to easily snoop and impersonate the victim.

Users should take some steps to prevent themselves from being affected by such attacks. Alex Mathews, technical manager at Positive Technologies, suggests some countermeasures that will help user to stay secure:

Don’t publish your Phone number to public. Solely rely on Email verification, rather than mobile verification. Use Two-factor user authentication that uses application to receiving code.

These countermeasures will surely protect the user’s account from being taken over by attackers.