Facebook Hacked Again: Only This Time, Anyone Can Do It

You might think that hacking Facebook accounts is something that only those with advanced technical skills would be able to do. After all, isn’t Facebook supposed to have all kinds of sophisticated security systems in place to protect user’s accounts?

Yep, it sure does, but a group of researchers at Rutger University have come across a new vulnerability that skirts around its security protocols and could potentially allow anyone – including those who lack any hacking skills whatsoever – to take control of an alarming number of Facebook accounts.

The exploit, which is detailed in this research paper, will only work with accounts whose users who signed up to Facebook using a Hotmail account which has since expired, but according to the researchers, that still leaves up to a million accounts at risk. The exploit takes advantage of the somewhat bizarre fact that Microsoft ‘retires’ Hotmail accounts after a period of 270 days inactivity. Unlike with other email services such as Google and Yahoo however, it then allows anyone to sign up and use the old email address associated with the retired account.

What this means, claims the researchers, is that anyone who signed up for Facebook using a since-expired Hotmail account can easily be hacked. All it takes is for someone to know that your old email account is available, sign up for it, and then send a forgotten password request to Facebook to gain access to your profile.

Identifying Accounts Ripe For Picking

 

Okay, so you’re probably thinking that it’s not a very big risk – after all, how are the hackers going to know your email address has expired in the first place? As it turns out, this information can be figured out quite easily because Microsoft unwittingly gives them the tools to do so.

The method for discovering expired Hotmail accounts will only work for contacts on the hacker’s own Facebook profile (which is probably even more of a worry). Incredibly, all the hacker has to do is import his list of Facebook contacts to Microsoft’s Windows Live messenger service to find out which ones have expired Hotmail accounts:

“The records in this imported list are categorized into two groups:

1. People who are currently on Windows Live.
2. People who are not currently on Windows Live.

Membership in the first category signifies that the person in question has already signed up for the Windows Live service; besides, people having a Hotmail accounts are automatically signed up for Windows live. On the other hand, membership in the second category denotes that the person in question does not currently hold an active Windows Live account. Then, in case that person’s email is Hotmail email address, we can safely conclude that this email address has expired. We can then proceed to reactivate it ourselves.”

With control of their friend’s expired Hotmail account, it then becomes possible to reset their password and become the legitimate owner of their Facebook profile in a matter of seconds.

The researchers then went ahead and put their theory into action – starting with one of their own accounts that had 760 friends, they found that four of these were susceptible to the exploit. Having gained control of these four accounts, the hackers then applied the same discovery process to each accounts’ list of Facebook contacts, ultimately taking control of 15 different accounts before abandoning their experiment citing ‘ethical concerns’

“We stopped our exploration after successfully gaining access to 15 accounts, which we thought sufficed to prove our point. We neither collected nor published any of the personal data we could access. Furthermore we did not change any other recovery settings. Thus, the compromised users could re-gain access to the account by using their cellphone number or answering their security question.”

The researchers point out that neither Microsoft nor Facebook can be fully blamed for this exploit, but now it’s been made known, they need to take action to fix it. They argue that its ultimately Facebook’s responsibility to do so by providing alternative methods to reset passwords , for example, by using a combination of security questions and proof of knowledge about the account’s activities.

[UPDATE]

I’ve reached out to Facebook and a representative informed me that while it is possible to login to someone’s profile in this way, the vulnerability only affects a very small number of accounts. Moreover he points out that not only Facebook, but just about any kind of internet service could be hacked using this technique – Amazon, Twitter etc., if they were initially registered with a Hotmail account.

To avoid any problems, Facebook suggests the following:

“Users can keep themselves safe by remaining in control of their email account. It’s also important to note that we do remove email addresses that we believe to be abandoned, and even if a malicious user does manage to register an abandoned email account, we provide numerous recovery options for the victim. Additionally, we do offer other recovery options (e.g. SMS and Trusted Contacts), in keeping with best practices elsewhere on the web, we also offer an email recovery option.”

About Mike Wheatley

Mike loves to talk about Big Data, the Internet of Things, Hacktivists and hacking, but he also hates Google and can never resist having a quick dig at them should the opportunity arise :) Got a REAL news story or tip? Email Mike@SiliconANGLE.com.