Security researchers from Positive Technologies show us how one can be hacked accountof Facebook. All you need to know is the user's phone number.
As shown in the video below, attackers can take advantage of social network password retrieval to send a one-time password via SMS to the user.
In previous publication we have reported that hackers have managed to exploit mobile devices using the SS7 global network.
Signaling System 7 (or Signaling System 7 - SS7) is a global network that connects all telephone operators around the world in a single node. Exploit exploits a known security flaw in SS7, which has proven to be relatively difficult to determine due to the way the Signaling System 7 works.
Currently, Signaling System 7 is used by all its cellular networks world, so the vulnerability affects all devices from every provider around the world.
So the researchers managed to take advantage vulnerable points of the SS7 network and obtain details of the victim's mobile device. Then they "write" the victim to a fake roaming network. This allows them to receive all calls and SMS meant for the victim, as well as the aforementioned SMS coming from Facebook.
With this code, attackers can easily access the victim's Facebook account and throw it out with a simple password change.
Security investigator Karsten Nohl told Forbes that creating simple rules on the SS7 firewall would resolve the 90% of 7 Signal Security
Ο λογαριασμός σας στο Facebook δεν θα κινδυνεύει από αυτή την επίθεση με την χρήση control ταυτότητας δύο παραγόντων που παρέχεται από την εταιρεία. Μόλις προσθέσετε το χαρακτηριστικό ασφαλείας η δυνατότητα ανάκτησης κωδικού πρόσβασης, σταματάει τις αποστολές κωδικών πρόσβασης με SMS.
Since this attack is possible due to the vulnerability of the SS7 system rather than through Facebook, it is very likely that it could also work for violations of other online services that use the same password recovery mechanism.
Watch the video
https://www.youtube.com/watch?v=wc72mmsR6bM